Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1445162
MD5:	d9a7d15ae1511095bc12d4faa9be6f70
SHA1:	b90fbb35eb6dd050e4829ecac702feab90f58859
SHA256:	bdc61e24b03db5dbdeaf7979906ea51f0bfe388b41d8e7e80bde6d9acd716bba
Tags:	exe
Infos:

Detection

PureLog Stealer, zgRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected PureLog Stealer

Yara detected zgRAT

AI detected suspicious sample

Allocates memory in foreign processes

Injects a PE file into a foreign processes

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Enables security privileges

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Installs a raw input device (often for capturing keystrokes)

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

file.exe (PID: 3872 cmdline: "C:\Users\user\Desktop\file.exe" MD5: D9A7D15AE1511095BC12D4FAA9BE6F70)

MSBuild.exe (PID: 6052 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

conhost.exe (PID: 5248 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
zgRAT	zgRAT is a Remote Access Trojan malware which sometimes drops other malware such as AgentTesla malware. zgRAT has an inforstealer use which targets browser information and cryptowallets.Usually spreads by USB or phishing emails with -zip/-lnk/.bat/.xlsx attachments and so on.	No Attribution	https://bazaar.abuse.ch/browse/signature/zgRAT/ https://kcm.trellix.com/corporate/index?page=content&id=KB96190&locale=en_US https://www.cloudsek.com/blog/threat-actors-abuse-ai-generated-youtube-videos-to-spread-stealer-malware https://www.difesaesicurezza.com/cyber/cybercrime-rfq-dalla-turchia-veicola-agenttesla-e-zgrat/ https://www.fortinet.com/blog/threat-research/smokeloader-using-old-vulnerabilities	https://malpedia.caad.fkie.fraunhofer.de/details/win.zgrat

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
file.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2111135106.0000000000402000.00000040.00000400.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000002.2105387485.00000000046EC000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: file.exe PID: 3872	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.2.file.exe.4746ff0.1.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.file.exe.4746ff0.1.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.file.exe.4746ff0.1.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x44171:$s1: file:/// 0x440cd:$s2: {11111-22222-10009-11112} 0x44101:$s3: {11111-22222-50001-00000} 0x41283:$s4: get_Module 0x3b664:$s5: Reverse 0x3c348:$s6: BlockCopy 0x3b62d:$s7: ReadByte 0x44183:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.2.file.exe.4746ff0.1.raw.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
0.2.file.exe.4746ff0.1.raw.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
0.2.file.exe.4746ff0.1.raw.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45f71:$s1: file:/// 0x45ecd:$s2: {11111-22222-10009-11112} 0x45f01:$s3: {11111-22222-50001-00000} 0x43083:$s4: get_Module 0x3d464:$s5: Reverse 0x3e148:$s6: BlockCopy 0x3d42d:$s7: ReadByte 0x45f83:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_zgRAT_1	Yara detected zgRAT	Joe Security
2.2.MSBuild.exe.400000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
2.2.MSBuild.exe.400000.0.unpack	MALWARE_Win_zgRAT	Detects zgRAT	ditekSHen	0x45f71:$s1: file:/// 0x45ecd:$s2: {11111-22222-10009-11112} 0x45f01:$s3: {11111-22222-50001-00000} 0x43083:$s4: get_Module 0x3d464:$s5: Reverse 0x3e148:$s6: BlockCopy 0x3d42d:$s7: ReadByte 0x45f83:$s8: 4C 00 6F 00 63 00 61 00 74 00 69 00 6F 00 6E 00 00 0B 46 00 69 00 6E 00 64 00 20 00 00 13 52 00 65 00 73 00 6F 00 75 00 72 00 63 00 65 00 41 00 00 11 56 00 69 00 72 00 74 00 75 00 61 00 6C 00 ...
0.0.file.exe.d20000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Click to see the 5 entries

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 13%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.1% probability

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15DE00 CryptGenRandom,__CxxThrowException@8,	0_2_6E15DE00
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15DEE0 CryptReleaseContext,	0_2_6E15DEE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15DD20 CryptReleaseContext,	0_2_6E15DD20
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6E15DBB0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15D9D0 CryptAcquireContextA,GetLastError,	0_2_6E15D9D0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15D7D5 CryptReleaseContext,	0_2_6E15D7D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E15D7F0 CryptReleaseContext,	0_2_6E15D7F0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E1835E0 CryptReleaseContext,	0_2_6E1835E0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: file.exe
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.2105387485.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2105387485.0000000004633000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2115924406.0000000005E20000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdb source: file.exe
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdbfffGCTL source: file.exe
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.2105387485.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2115924406.0000000005EDA000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2105387485.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B83C28
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B83C22
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 05B8BF2Ah	0_2_05B8BE78
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05B82928
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05B8291C
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B838F8
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B838F1
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05B8C338
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B83B18
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B83B10
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_05B8C340
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then jmp 05B8BF2Ah	0_2_05B8BA9A
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B83A08
Source: C:\Users\user\Desktop\file.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05B83A00

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23
Source: unknown	TCP traffic detected without corresponding DNS query: 104.18.38.233
Source: unknown	TCP traffic detected without corresponding DNS query: 172.64.149.23

Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: $]q3IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb@\]q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: IndexedDB\https_www.youtube.com_0.indexeddb.leveldb`,]q equals www.youtube.com (Youtube)
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C39000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: `,]q#www.youtube.com_0.indexeddb.leveldb equals www.youtube.com (Youtube)

Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: file.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: file.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: file.exe	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: file.exe	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: file.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: file.exe	String found in binary or memory: http://ocsp.digicert.com0O
Source: file.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: file.exe	String found in binary or memory: http://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?The
Source: file.exe	String found in binary or memory: https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=falsetrue%pLuLdluldeEpP%c
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.s
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002C09000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ip.sb/ip
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: file.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: file.exe	String found in binary or memory: https://system.data.sqlite.org/
Source: file.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: file.exe	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: file.exe	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705

Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp

Binary or memory string: GetRawInputData

memstr_ac11f1f2-f

System Summary

Malicious sample detected (through community Yara rule)

Source: 0.2.file.exe.4746ff0.1.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 0.2.file.exe.4746ff0.1.raw.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: Detects zgRAT Author: ditekSHen

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E12B6B0	0_2_6E12B6B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E154EE0	0_2_6E154EE0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E17AC29	0_2_6E17AC29
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E122D70	0_2_6E122D70
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E144AC0	0_2_6E144AC0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E108B30	0_2_6E108B30
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E170B89	0_2_6E170B89
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E144970	0_2_6E144970
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E106650	0_2_6E106650
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E10C7B0	0_2_6E10C7B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E10A7E0	0_2_6E10A7E0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E144550	0_2_6E144550
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E17A54D	0_2_6E17A54D
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E162310	0_2_6E162310
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E1563B0	0_2_6E1563B0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E11A0C0	0_2_6E11A0C0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E143E50	0_2_6E143E50
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E155EB9	0_2_6E155EB9
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E17BFF1	0_2_6E17BFF1
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E179FFC	0_2_6E179FFC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E143C90	0_2_6E143C90
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E161CA0	0_2_6E161CA0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E175DD2	0_2_6E175DD2
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E155DD0	0_2_6E155DD0
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E179AAB	0_2_6E179AAB
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E155830	0_2_6E155830
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E1558D5	0_2_6E1558D5
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E1558D7	0_2_6E1558D7
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E17B964	0_2_6E17B964
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E143460	0_2_6E143460
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E155274	0_2_6E155274
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E143260	0_2_6E143260
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E155050	0_2_6E155050
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03468E40	0_2_03468E40
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03467DC8	0_2_03467DC8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0346BDA8	0_2_0346BDA8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03461648	0_2_03461648
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03460E48	0_2_03460E48
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03460E58	0_2_03460E58
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03461638	0_2_03461638
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_067026F8	0_2_067026F8
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06700EB3	0_2_06700EB3
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_067026DC	0_2_067026DC
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_06700930	0_2_06700930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00DA62E8	2_2_00DA62E8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00DA6030	2_2_00DA6030
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00DA6020	2_2_00DA6020
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00DA62D9	2_2_00DA62D9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02A9B33C	2_2_02A9B33C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02A9D348	2_2_02A9D348
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_02A9D343	2_2_02A9D343

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Security

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6E169B35 appears 141 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6E1690D8 appears 51 times
Source: C:\Users\user\Desktop\file.exe	Code function: String function: 6E16D520 appears 31 times

Source: file.exe

Static PE information: invalid certificate

Source: file.exe, 00000000.00000002.2120297143.0000000006361000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2105387485.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameSystem.Data.SQLite.Linq.dllF vs file.exe
Source: file.exe, 00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameOutlook Primary Interop AssemblyL vs file.exe
Source: file.exe, 00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameZipExtractor.dll: vs file.exe
Source: file.exe, 00000000.00000002.2105387485.00000000046EC000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSnorings.exe" vs file.exe
Source: file.exe, 00000000.00000002.2105387485.0000000004E14000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSnorings.exe" vs file.exe
Source: file.exe, 00000000.00000002.2104966368.00000000035A1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2120334942.0000000006460000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2115924406.0000000005FA8000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000002.2105387485.0000000004DFB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs file.exe
Source: file.exe, 00000000.00000000.1995460540.00000000011D2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameportablefromdigitally_hub4.exeX6 vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameSystem.Data.SQLite.Linq.dllF vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameOutlook Primary Interop AssemblyL vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameZipExtractor.dll: vs file.exe
Source: file.exe	Binary or memory string: OriginalFilenameportablefromdigitally_hub4.exeX6 vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.file.exe.4746ff0.1.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 0.2.file.exe.4746ff0.1.raw.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT
Source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE	Matched rule: MALWARE_Win_zgRAT author = ditekSHen, description = Detects zgRAT

Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: .configAMSBUILDDIRECTORYDELETERETRYCOUNTCMSBUILDDIRECTORYDELETRETRYTIMEOUT.sln
Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.sln /t:Rebuild /p:Configuration=Release
Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb
Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: *.sln
Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBuild MyApp.csproj /t:Clean
Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /ignoreprojectextensions:.sln
Source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSBUILD : error MSB1048: Solution files cannot be debugged directly. Run MSBuild first with an environment variable MSBUILDEMITSOLUTION=1 to create a corresponding ".sln.metaproj" file. Then debug that.

Source: classification engine

Classification label: mal100.troj.evad.winEXE@4/3@0/0

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\file.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5248:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: file.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 13%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: textshaping.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: file.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 5154288 > 1048576

Source: file.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4aea00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: file.exe
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: file.exe, 00000000.00000002.2105387485.0000000004C6F000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmp, file.exe, 00000000.00000002.2105387485.0000000004633000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2115924406.0000000005E20000.00000004.08000000.00040000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdb source: file.exe
Source:	Binary string: f:\binaries\Intermediate\ndp_msbuild\xmakecommandline.csproj_1613737345\objr\x86\MSBuild.pdb source: MSBuild.exe, 00000002.00000002.2125522885.0000000003BB1000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: D:\a\_work\1\s\artifacts\obj\win-x86.Release\corehost\cli\apphost\standalone\Release\apphost.pdbfffGCTL source: file.exe
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: file.exe, 00000000.00000002.2105387485.0000000004BA1000.00000004.00000800.00020000.00000000.sdmp, file.exe, 00000000.00000002.2115924406.0000000005EDA000.00000004.08000000.00040000.00000000.sdmp, file.exe, 00000000.00000002.2105387485.0000000004D2C000.00000004.00000800.00020000.00000000.sdmp

Source: file.exe

Static PE information: 0xA7BB0938 [Wed Mar 5 01:17:44 2059 UTC]

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6E11B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6E11B6C0

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E16CC2B push ecx; ret	0_2_6E16CC3E
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E16D565 push ecx; ret	0_2_6E16D578
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_0346AD18 push eax; mov dword ptr [esp], ecx	0_2_0346AD19
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_03465428 push edi; ret	0_2_0346542F
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_05B8890F push dword ptr [esp+ecx*2-75h]; ret	0_2_05B88913
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00DA14A4 push cs; ret	2_2_00DA14A6

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: file.exe PID: 3872, type: MEMORYSTR

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXEX
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE@\]Q
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \QEMU-GA.EXE

Source: C:\Users\user\Desktop\file.exe	Memory allocated: 3460000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 35A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory allocated: 55A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: DA0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 2BB0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Memory allocated: 4BB0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\file.exe TID: 4128	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 2124	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exe@\]q
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: \qemu-ga.exeX

Source: C:\Users\user\Desktop\file.exe

API call chain: ExitProcess graph end node

graph_0-57384

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6E16948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6E16948B

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6E11B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6E11B6C0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E16948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6E16948B
Source: C:\Users\user\Desktop\file.exe	Code function: 0_2_6E16B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6E16B144

Source: C:\Users\user\Desktop\file.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\file.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

Writes to foreign memory regions

Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 402000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 456000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 48E000	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: AB6008	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: GetProgmanWindow
Source: MSBuild.exe, 00000002.00000002.2116927962.0000000002DB9000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SetProgmanWindow

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6E1684B0 cpuid

0_2_6E1684B0

Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Users\user\Desktop\file.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\Windows\Fonts\micross.ttf VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6E16A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6E16A25A

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.2.file.exe.4746ff0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4746ff0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2111135106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2105387485.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.file.exe.4746ff0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4746ff0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Remote Access Functionality

Yara detected PureLog Stealer

Source: Yara match	File source: file.exe, type: SAMPLE
Source: Yara match	File source: 0.2.file.exe.4746ff0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4746ff0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.0.file.exe.d20000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000002.00000002.2111135106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000002.2105387485.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Yara detected zgRAT

Source: Yara match	File source: 0.2.file.exe.4746ff0.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 0.2.file.exe.4746ff0.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 2.2.MSBuild.exe.400000.0.unpack, type: UNPACKEDPE

Source: C:\Users\user\Desktop\file.exe

Code function: 0_2_6E11A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6E11A0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Native API	1 DLL Side-Loading	312 Process Injection	1 Masquerading	11 Input Capture	1 System Time Discovery	Remote Services	11 Input Capture	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	111 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	1 Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	312 Process Injection	NTDS	31 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	23 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	13%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://api.ip.sb/ip	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
https://system.data.sqlite.org/	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=falsetrue%pLuLdluldeEpP%c	0%	Avira URL Cloud	safe
https://api.ip.s	0%	Avira URL Cloud	safe
https://www.sqlite.org/lang_aggfunc.html	0%	Avira URL Cloud	safe
https://aka.ms/dotnet-core-applaunch?The	0%	Avira URL Cloud	safe
https://www.sqlite.org/lang_corefunc.html	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	file.exe	false	URL Reputation: safe	unknown
https://api.ip.sb/ip	MSBuild.exe, 00000002.00000002.2116927962.0000000002C09000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://api.ip.s	MSBuild.exe, 00000002.00000002.2116927962.0000000002C09000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	file.exe	false	URL Reputation: safe	unknown
https://www.sqlite.org/lang_corefunc.html	file.exe	false	Avira URL Cloud: safe	unknown
https://aka.ms/dotnet-core-applaunch?The	file.exe	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	file.exe	false	URL Reputation: safe	unknown
https://system.data.sqlite.org/	file.exe	false	URL Reputation: safe	unknown
https://aka.ms/dotnet-core-applaunch?missing_runtime=true&arch=&rid=falsetrue%pLuLdluldeEpP%c	file.exe	false	Avira URL Cloud: safe	unknown
https://www.sqlite.org/lang_aggfunc.html	file.exe	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	file.exe	false	URL Reputation: safe	unknown
https://discord.com/api/v9/users/	MSBuild.exe, 00000002.00000002.2116927962.0000000002CB5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

⊘No contacted IP infos

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1445162
Start date and time:	2024-05-21 17:25:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 8s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	8
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.evad.winEXE@4/3@0/0
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 96% Number of executed functions: 236 Number of non-executed functions: 208
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 2.19.104.72, 20.114.59.183, 93.184.221.240, 192.229.221.95, 13.85.23.206, 20.3.187.198, 2.16.100.168, 88.221.110.91
Excluded domains from analysis (whitelisted): fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, a767.dspw65.akamai.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, wu.azureedge.net, fe3cr.delivery.mp.microsoft.com, download.windowsupdate.com.edgesuite.net, fe3.delivery.mp.microsoft.com, ocsp.digicert.com, e16604.g.akamaiedge.net, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, prod.fs.microsoft.com.akadns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing disassembly code.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
VT rate limit hit for: file.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	https://weblaunch.blifax.com/listener3/redirect?l=e6df36b9-5af1-4758-b7e4-83fbf7f30dfb&id=e0d346f1-f241-ee11-acc4-000c295a2555&u=http%253Aeyesontheguys.com%2Fwinner%2F03013%2F%2FYnJhbmRvbi5nYXJjaWFAZ3RmY3Uub3Jn	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://app.hubspot.com/api/notification-station/general/v1/notifications/cta/0d34038d-a5a4-4a0d-a49c-130128d0eae5?notificationPortalId=44556035&deliveryMethod=EMAIL	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://nervous-seed-snowplow.glitch.me	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://portal-uk.mailanyone.net/outer/passreset?token=dXNlcj1kb3VnLmpld2l0dEBpbmZpbml0eWdyb3VwLmNvLnVrO3RzPTE3MTYzMDExNTM7dG9rZW49%0ANThlOWIyOTNlNmZmMTU2ZTMyYjgwMDgyM2I3NzFmOWMzNWNiNGJlMg%3D%3D	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://www.highcpmgate.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://pglt.me/e6Uqwa18Ip	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	https://msftexperience.qualtrics.com/jfe/form/SV_b1PzoUF1L5qlw1g?Q_DL=FqmbEi7ou0zrWMT_b1PzoUF1L5qlw1g_CGC_M5iNu9qrBGQePsZ&Q_CHL=email	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://iyfhshsp.com/Stockyard.cfm?domain=ontariostockyards.on.ca&fp=CIJaHXP%2F0skOkNSQd%2F4jtYF3X0QXgT%2B41bUKlz9x8WIfofj6IPTV8ScBtVOQWLtb%2FRwG%2FSkHiiHeZllib976kXCJ4XMA794ZiznRS1wP5Uf04A9tPtI%2B0LoCkzGPdAHYsRq7MR7MdbFPY6oXhvApuHKBrlR32ugZAs8XzrJENmfc665HHXmTlZitcPeywgrTHI6o1222VmPYvgQj3BF3SrPGahD54P8mb7wnGA1Iq2VkMCzKYfTBs9TsEjTlKq4y0VG2Wfe4HZz%2FfV4Kj9e8srxlzEkIc8wqr0A4WlsXH8B6EYuy9GOPwGtl0mU5fDBh&yep=RVNTenhI%2BK5wtfh2y3hvr0C%2Bf8yLo0OquMvUcIDm2pI%2BazRSAc%2BgO8tqXXkadYdZm%2FCdVtUW6v4fRHfi2iLasg4ugBXXocFy%2BKZRh8tTJ%2B1hPAPyIid9TVDBqYtpHTyVkiaz87oq7ncPzsby9Tg3T2j1RIiGpW1BmK%2FTrWUih%2FXnDRKhZFMjpokW5c0YMS1fK3J7%2Bd66FySEOnk4uznr%2Bj2iXwlpK45ddD%2FQhCQdRbSYtXyK6Y%2BnNH0XmeriKJQq30PcKbP2b2rfFFjMfmciNCzMIuHsxuylX1DCXMJkN7S2Y8niXSmMcZHZ2gbvX7m%2FOujBxUYqP4pl5pesXzNvel9QWXdbhQ6U03mTXDA670%2FoRFLT8ez1b%2BRvdcfRh2IRVZ3USOJ7UUDZsD%2B4qi731tfoY%2BuT2tHsaGjnJUDy6MSUl743ntfchbV8KuCXmSn1XmeM0kBMR7GWGmgarnEPN%2Fu7tqup9nk129kApIU2XJazrgl2BHASztPoRHJA4xbNJbkTRaDBlHCK9N67TWzrLkFiJ4twAESoSeN26JeNJt6yqKEPdMZKK%2FsbdMW2QYCGWTu0y0eI792%2BqESxmSj4qA6XfdvJ79k%2Bt%2FyBpSzxK2dquDe2JW6MniZQO6CyU2DhiqKzuDQZmsRZ9m8oHVJf6beA8iYJEbjVJaqTWlmrxGQuQ3DSFeBBE8Ne7oPiiZpLqvFbXKPRcgHr9vMQnTDuCWeZqxXfyiW6CcQ3voM95JJ3tzh5utgMLxXBGHBXFS4Ixa%2B5xkoKj0z7EcOCMx8YiIPVZV4lNs46zB9oqP6jlu0MJAe0pYCGsL8uwTsCVWoXahV%2Fu8JKPadX1ikQgHDyF9%2BcBGvs%2FbzL7vuCdqOfmzHcvExkDQgErBb%2BBtNCNp%2B%2FWqR%2F0cmKe6xi8aBCM7qXGm9cEPpsSqr%2BUuXrF193vXut6QHyCd5IqK1XfStY9gWk7QIiMjNxV8zcI%2FXxHJzeFzAjtmoqhbv4cIOJbt8Na7zCDyqKk48L1UnuTJqozjuhQ8WSTcNUOw%2B88xJFzzj95RXpBCr2YLtw6JWH8LGB9MnYKzgGed%2B%2F2vh7SMj%2FO%2FGwwIYOzl3ObdsRSKRFiuUKJqDDT93kK1kj4kEZap5RR9jN6EErfJGTODOigOlaeC1li6Vkvd4gGLQ%2B0HboZ1yg1huBq3K6KvalppsbOoowIz7KG9DqWOJX8hCeGv9dgx9in43hGAWlPGAeuTIqH1boNtj9V3sYVooX5WKblP6tqk3kwvWKmKQOG8vtPGqF5k5Fu4FYO7VSCSzcZoMsDuO2NgJXtvtrFv2D%2FUL%2FeQWWBRqTbSAlLtN%2FMaxEHYMn8Gh%2FJUJ0BoFknnzE9rvJSVjZPOF9mWaZ5JUpoLmRcFBiOVduKCDx5GiDppZF7oI32XfhBbpQYJKIoXaSuCLE%2BUlgzBN8eV4RUkpSDfiZWEL0ePYtSC9bG1YPOZQrRvsZSXYnczNPInescpPN59yK9vXTcATqofw2juvQf	Get hash	malicious	Unknown	Browse	192.229.221.95
	AFATS317052024.msi	Get hash	malicious	Unknown	Browse	192.229.221.95

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	3108_FreeDownloadFiles.zip	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	dehdsDiT1p.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse
	SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe	Get hash	malicious	CryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	40UAEu1Kpt.exe	Get hash	malicious	LummaC, CryptOne, GCleaner, Glupteba, Mars Stealer, PrivateLoader, PureLog Stealer	Browse
	file.exe	Get hash	malicious	PrivateLoader, PureLog Stealer, Vidar, zgRAT	Browse
	xY4kNfupZh.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	yndoUKWawK.exe	Get hash	malicious	PureLog Stealer, RedLine, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log

Download File

Process:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1119
Entropy (8bit):	5.345080863654519
Encrypted:	false
SSDEEP:	24:MLUE4K5E4KH1qE4qXKDE4KhKiKhPKIE4oKNzKoZAE4Kze0E4j:MIHK5HKH1qHiYHKh3oPtHo6hAHKze0Hj
MD5:	88593431AEF401417595E7A00FE86E5F
SHA1:	1714B8F6F6DCAAB3F3853EDABA7687F16DD331F4
SHA-256:	ED5E60336FB00579E0867B9615CBD0C560BB667FE3CEE0674F690766579F1032
SHA-512:	1D442441F96E69D8A6D5FB7E8CF01F13AF88CA2C2D0960120151B15505DD1CADC607EF9983373BA8E422C65FADAB04A615968F335A875B5C075BB9A6D0F346C9
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..2,"System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..3,"System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Configuration\2192b0d5aa4aa14486ae08118d3b9fcc\System.Configuration.ni.dll",0..3,"System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml\2062ed810929ec0e33254c02

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
MD5:	93E4C46884CB6EE7CDCC4AACE78CDFAC
SHA1:	29B12D9409BA9AFE4C949F02F7D232233C0B5228
SHA-256:	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
SHA-512:	E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	760320
Entropy (8bit):	6.561572491684602
Encrypted:	false
SSDEEP:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
MD5:	544CD51A596619B78E9B54B70088307D
SHA1:	4769DDD2DBC1DC44B758964ED0BD231B85880B65
SHA-256:	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
SHA-512:	F56D8B81022BB132D40AA78596DA39B5C212D13B84B5C7D2C576BBF403924F1D22E750DE3B09D1BE30AEA359F1B72C5043B19685FC9BF06D8040BFEE16B17719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: 3108_FreeDownloadFiles.zip, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: dehdsDiT1p.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 40UAEu1Kpt.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: xY4kNfupZh.exe, Detection: malicious, Browse Filename: yndoUKWawK.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2...2...2...]...6....f..0...)=..,...)=....;...;...2.~.C...)=..i...)=......)=..3...)=..3...Rich2...........PE..L....#da...........!.....(...n...............@......................................(.....@.............................C.......x................................n...B..................................@............@...............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data...`...........................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.171492010172408
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	5'154'288 bytes
MD5:	d9a7d15ae1511095bc12d4faa9be6f70
SHA1:	b90fbb35eb6dd050e4829ecac702feab90f58859
SHA256:	bdc61e24b03db5dbdeaf7979906ea51f0bfe388b41d8e7e80bde6d9acd716bba
SHA512:	f913e5bbb998ad8a391ea99c6d045081da5af128b9391c3a0249ec4eeb9a504be796b3315e7c5b4bae825b7629527719a845a974f4eba37bd0233b86e5483e25
SSDEEP:	98304:NllmCKfheKnF4Gnuyjscn9GtGOqHLixnkmb0ZKH4lODcxSgo5Gn8WuMRIn+N3gNX:NllmCKfY2uWUMBHLi6mb0ZKH4lODcxSL
TLSH:	EF36AE01736A9521C54D9372E2E21E1443F29E47AA66DF0A3B9D37540F633CF8D4B3AA
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...8.................P...J..L........K.. ... K...@.. ........................N......GO...@................................

File Icon


Icon Hash:	13e3e3e3c381d083

Static PE Info

General

Entrypoint:	0x8b089e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xA7BB0938 [Wed Mar 5 01:17:44 2059 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	20/05/2024 13:47:06 21/05/2034 13:47:06
Subject Chain	CN=\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg\u2014s\xb9f\xd3Ee\xde\xd2\xf7\xdcFZW?_g\xbfg
Version:	3
Thumbprint MD5:	9765BC66A4BCC62EAC5E424030500246
Thumbprint SHA-1:	E9832723AACF3BAB6D745EBE2786D8FE9CFDCF06
Thumbprint SHA-256:	0385CC496A59393A5240639BFB0F67CAAD89ED2EF622041872AFD82A77C270B5
Serial:	66A1FE15A80605A545E3CAA1D775F619

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x4b0850	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x4b2000	0x34914	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x4e3800	0x6df0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x4e8000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x4ae8a4	0x4aea00	b2c8be8013f91555e85d43f0f0cbf2d8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x4b2000	0x34914	0x34a00	2535f3a8a2fb496ded4ea2b1da5ac112	False	0.4859801811163896	data	5.601237882346497	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x4e8000	0xc	0x200	083f989b23a1e9120b26a385b411a6cb	False	0.044921875	data	0.08153941234324169	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
EDPPERMISSIVEAPPINFOID	0x4b23b4	0x2	data	5.0
MUI	0x4b23b8	0x158	data	0.5581395348837209
RT_ICON	0x4b2510	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024	0.651595744680851
RT_ICON	0x4b2978	0x988	Device independent bitmap graphic, 24 x 48 x 32, image size 2304	0.5192622950819672
RT_ICON	0x4b3300	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.45426829268292684
RT_ICON	0x4b43a8	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.4049792531120332
RT_ICON	0x4b6950	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.3597071327350024
RT_ICON	0x4bab78	0x5488	Device independent bitmap graphic, 72 x 144 x 32, image size 20736	0.34560998151571165
RT_ICON	0x4c0000	0x94a8	Device independent bitmap graphic, 96 x 192 x 32, image size 36864	0.3220779903300399
RT_ICON	0x4c94a8	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.2969359990535904
RT_ICON	0x4d9cd0	0xc008	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9982302685109845
RT_GROUP_ICON	0x4e5cd8	0x84	data	0.7272727272727273
RT_VERSION	0x4e5d5c	0x3ec	data	0.3615537848605578
RT_MANIFEST	0x4e6148	0x7c9	XML 1.0 document, ASCII text, with CRLF line terminators	0.3622679377822378

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 21, 2024 17:25:56.827824116 CEST	49675	443	192.168.2.5	23.1.237.91
May 21, 2024 17:25:56.827893972 CEST	49674	443	192.168.2.5	23.1.237.91
May 21, 2024 17:25:56.937187910 CEST	49673	443	192.168.2.5	23.1.237.91
May 21, 2024 17:26:06.437202930 CEST	49674	443	192.168.2.5	23.1.237.91
May 21, 2024 17:26:06.437247038 CEST	49675	443	192.168.2.5	23.1.237.91
May 21, 2024 17:26:06.546533108 CEST	49673	443	192.168.2.5	23.1.237.91
May 21, 2024 17:26:08.266313076 CEST	443	49705	23.1.237.91	192.168.2.5
May 21, 2024 17:26:08.266573906 CEST	49705	443	192.168.2.5	23.1.237.91
May 21, 2024 17:26:44.374826908 CEST	49704	80	192.168.2.5	104.18.38.233
May 21, 2024 17:26:44.374876976 CEST	49703	80	192.168.2.5	172.64.149.23
May 21, 2024 17:26:44.380251884 CEST	80	49704	104.18.38.233	192.168.2.5
May 21, 2024 17:26:44.380335093 CEST	49704	80	192.168.2.5	104.18.38.233
May 21, 2024 17:26:44.386543036 CEST	80	49703	172.64.149.23	192.168.2.5
May 21, 2024 17:26:44.386604071 CEST	49703	80	192.168.2.5	172.64.149.23

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 21, 2024 17:26:18.257323980 CEST	1.1.1.1	192.168.2.5	0x5720	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 21, 2024 17:26:18.257323980 CEST	1.1.1.1	192.168.2.5	0x5720	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false
May 21, 2024 17:26:32.507153034 CEST	1.1.1.1	192.168.2.5	0x35b1	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 21, 2024 17:26:32.507153034 CEST	1.1.1.1	192.168.2.5	0x35b1	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:25:58
Start date:	21/05/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xd20000
File size:	5'154'288 bytes
MD5 hash:	D9A7D15AE1511095BC12D4FAA9BE6F70
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000002.2105387485.00000000046EC000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1994966635.0000000000D22000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:26:08
Start date:	21/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Imagebase:	0x850000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000002.00000002.2111135106.0000000000402000.00000040.00000400.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:26:08
Start date:	21/05/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6d64d0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	5.4%
Dynamic/Decrypted Code Coverage:	2.7%
Signature Coverage:	7.2%
Total number of Nodes:	1243
Total number of Limit Nodes:	54

Executed Functions

Function 6E12B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E12B73F
VariantInit.OLEAUT32(?), ref: 6E12B748
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12B7BE
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12B7F5
VariantClear.OLEAUT32(?), ref: 6E12B801

Part of subcall function 6E12C850: VariantInit.OLEAUT32(?), ref: 6E12C88F
Part of subcall function 6E12C850: VariantInit.OLEAUT32(?), ref: 6E12C895
Part of subcall function 6E12C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12C8A0
Part of subcall function 6E12C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E12C8D5
Part of subcall function 6E12C850: VariantClear.OLEAUT32(?), ref: 6E12C8E1

VariantClear.OLEAUT32(?), ref: 6E12BA15
SafeArrayDestroy.OLEAUT32(?), ref: 6E12BE90
VariantClear.OLEAUT32(?), ref: 6E12BEA3
VariantClear.OLEAUT32(?), ref: 6E12BEA9

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 821904e55054e1d7a477b59478dfd475ec97dd080327a7c3eafa152e24d88c71
Instruction ID: 2f89185156bd5875331ba8ea7686b190a9e4463f4c0ce1694695fa760d46c888
Opcode Fuzzy Hash: 821904e55054e1d7a477b59478dfd475ec97dd080327a7c3eafa152e24d88c71
Instruction Fuzzy Hash: C1525071900219DFDB14DFA8C880BDEBBB9BF59300F1485A9E509AB355DB30A985DF90

Function 06700EB3 Relevance: 29.6, Strings: 23, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LOOK, xrefs: 067017E4
LOOK, xrefs: 06701A9F
Guq, xrefs: 067016D2
p<]q, xrefs: 0670118D
Guq, xrefs: 06701243
HERE, xrefs: 067017E9
p<]q, xrefs: 0670112C
LOOK, xrefs: 06700F6A
p<]q, xrefs: 06701142
Guq, xrefs: 06701CCD
HERE, xrefs: 067019F0
LOOK, xrefs: 0670158D
LOOK, xrefs: 067019EB
LOOK, xrefs: 067012E7
Guq, xrefs: 067014CA
p<]q, xrefs: 06701177
HERE, xrefs: 067012EC
HERE, xrefs: 06701592
HERE, xrefs: 06701AA4
HERE, xrefs: 06701086
Guq, xrefs: 06701923
HERE, xrefs: 06700F6F
LOOK, xrefs: 06701081

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID: HERE$HERE$HERE$HERE$HERE$HERE$HERE$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$p<]q$p<]q$p<]q$p<]q$Guq$Guq$Guq$Guq$Guq
API String ID: 0-3029792773
Opcode ID: 9950b32f66dddb1028e7be346421e3735782f1dab559e1d8a3f17b11128977bf
Instruction ID: b3531a55ede554d06e499ed1793770fc1791c2da136df3bd67c0cd663ecab605
Opcode Fuzzy Hash: 9950b32f66dddb1028e7be346421e3735782f1dab559e1d8a3f17b11128977bf
Instruction Fuzzy Hash: AC828174E402298FDBA4DF68C994B99B7F1AF88310F5481E9D40DAB365DB30AE85CF50

Function 6E11B6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,4F740BFF), ref: 6E11B711
LoadLibraryW.KERNEL32(mscoree.dll), ref: 6E11B71C
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6E11B730
__cftoe.LIBCMT ref: 6E11B870
GetModuleHandleW.KERNEL32(?), ref: 6E11B88B
GetProcAddress.KERNEL32(00000000,C8F5E518), ref: 6E11B8D7

Strings

CLRCreateInstance, xrefs: 6E11B72A
v4.0.30319, xrefs: 6E11B767
mscoree.dll, xrefs: 6E11B70C, 6E11B717

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad__cftoe
String ID: CLRCreateInstance$mscoree.dll$v4.0.30319
API String ID: 1275574042-506955582
Opcode ID: 0672f819f573c2a65418d23aa33161188fd5055b6eb055096a6f59c5aa6865f1
Instruction ID: c27667335c96cbf870186b99ddab18b0576153d6adf7b0893193ad7b7621f9d2
Opcode Fuzzy Hash: 0672f819f573c2a65418d23aa33161188fd5055b6eb055096a6f59c5aa6865f1
Instruction Fuzzy Hash: 539168B1908249DFCB04DFE8C8849EEBBB4BF49310B20856CE116AB354D734A986DB54

Function 0346BDA8 Relevance: 7.1, Strings: 5, Instructions: 831COMMON

Download Yara Rule

Strings

,aq, xrefs: 0346C4F7
Haq, xrefs: 0346C7D0
(o]q, xrefs: 0346C759
(o]q, xrefs: 0346C763
,aq, xrefs: 0346C4E7

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: (o]q$(o]q$,aq$,aq$Haq
API String ID: 0-2157538030
Opcode ID: 1ed00c354e173a7123997674ea623cd610cbb77537179b6e646195055655ae53
Instruction ID: 7d6eca5b14e1019e83ac9aa6f5d629cc84818dbe796e7a6ad9862086449b979d
Opcode Fuzzy Hash: 1ed00c354e173a7123997674ea623cd610cbb77537179b6e646195055655ae53
Instruction Fuzzy Hash: 88627F75B001169FCB18DF69C884AAEB7B6FF88311B15816AE845DF364DB30EC41CB96

Function 03467DC8 Relevance: 2.8, Strings: 2, Instructions: 260COMMON

Download Yara Rule

Strings

$]q, xrefs: 03467DDE
Xaq, xrefs: 03467DF7

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: Xaq$$]q
API String ID: 0-1280934391
Opcode ID: 8491c1248dd3c9d350312aca42439f08987276b23838cbcccbe257f750c275d2
Instruction ID: 1fb76c8d02bc3f9af6b5f9e9a95c6f9ca5b42a9475fb56abbb92e242e895b82d
Opcode Fuzzy Hash: 8491c1248dd3c9d350312aca42439f08987276b23838cbcccbe257f750c275d2
Instruction Fuzzy Hash: A3817434B042189BCB18DF75945467EBBB7BFC8750F09886EE416EB388CE359802C796

Function 067026F8 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: da13d86ac1e7fae68c13908713ddebb217e0aa02f392d4a97b0c2c6a0c5a0b1f
Instruction ID: e80a41effd37d21d8965ba44e22518723305f4e4355c6c6e8deb7400896a3038
Opcode Fuzzy Hash: da13d86ac1e7fae68c13908713ddebb217e0aa02f392d4a97b0c2c6a0c5a0b1f
Instruction Fuzzy Hash: C1329174E012289FDB64DFA5C894BEDBBB2BF89300F1091AAD519B7294DB305E81CF51

Function 03468E40 Relevance: .4, Instructions: 402COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d284d7c2800d6d7445162910a32afdb530cd53733d3dfcfaf5ee4201cdf481c
Instruction ID: 8628c7a8d339b40066480b4fb7b8b594b1b5cee0fd389f201d323df2c26ac614
Opcode Fuzzy Hash: 5d284d7c2800d6d7445162910a32afdb530cd53733d3dfcfaf5ee4201cdf481c
Instruction Fuzzy Hash: 64129E74E04228CFDB64DF69C994B9DBBB2BF89300F1081AAD409AB365DB705E85CF51

Function 067026DC Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e2a640a84db7a81a678a87dca1f36d779d5987f5e62943b186e721b3a1efdf64
Instruction ID: 639a12d935257cd11968292b26172207afc4df1d251e03293c2c13438757cfcd
Opcode Fuzzy Hash: e2a640a84db7a81a678a87dca1f36d779d5987f5e62943b186e721b3a1efdf64
Instruction Fuzzy Hash: 3B91D474E012189FDB64DF69C850BDDBBF2BF89300F1481AAD508AB251DB305A85CF91

Function 6E129357 Relevance: 41.0, APIs: 21, Strings: 1, Instructions: 2492COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E1284BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E1284D2
SafeArrayGetElement.OLEAUT32 ref: 6E12850A
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E1294C1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E1294D4
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E12950C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E1297A4
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E1297B7
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E1297F2

Part of subcall function 6E123A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E123B71
Part of subcall function 6E123A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E123B83

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E129D5F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E129D72
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E129DAF

Part of subcall function 6E123A90: SafeArrayDestroy.OLEAUT32(?), ref: 6E123BCF

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E12A1BC
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E12A1CF
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6E12A20C
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Strings

A, xrefs: 6E12AD44

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: A
API String ID: 959723449-3554254475
Opcode ID: f53d6218070f9813027f334e114b9eea8137e665f3da4e0a6aabe6a7c843472e
Instruction ID: 6f5c01cc36c68c24e8e7e08809e95ca59f2062b5c96d53e3532884ffb555e394
Opcode Fuzzy Hash: f53d6218070f9813027f334e114b9eea8137e665f3da4e0a6aabe6a7c843472e
Instruction Fuzzy Hash: 47237D70A002059FDB40DFE8CC94FDA77B9AF49304F1485A8EA09AF296DB71E9C5DB50

Function 6E122970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E1229F6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E122A08
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E122A2F
VariantInit.OLEAUT32(?), ref: 6E122ABB
VariantInit.OLEAUT32(?), ref: 6E122B3F
VariantClear.OLEAUT32(?), ref: 6E122C04
VariantClear.OLEAUT32(?), ref: 6E122C0B
VariantClear.OLEAUT32(?), ref: 6E122C12
VariantClear.OLEAUT32(?), ref: 6E122C96
VariantClear.OLEAUT32(?), ref: 6E122C9D
VariantClear.OLEAUT32(?), ref: 6E122CD6
VariantClear.OLEAUT32(?), ref: 6E122CDD
VariantClear.OLEAUT32(?), ref: 6E122CE4
SafeArrayDestroy.OLEAUT32(?), ref: 6E122D1B
VariantClear.OLEAUT32(?), ref: 6E122D45
VariantClear.OLEAUT32(?), ref: 6E122D4C
VariantClear.OLEAUT32(?), ref: 6E122D53

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$BoundInit$DestroyElement
String ID:
API String ID: 214056513-0
Opcode ID: 665d61ddae9b22d63180e4045ef3717aadbccf526a67fffd04c08f9a36ee7ea5
Instruction ID: b7c616a3eb23b5b7153d6a3e1e5ceee8406aed884ee94c96e519526c096d05a0
Opcode Fuzzy Hash: 665d61ddae9b22d63180e4045ef3717aadbccf526a67fffd04c08f9a36ee7ea5
Instruction Fuzzy Hash: B1C178712183459FD700CFA8C884A5FBBE8BF99304F20896DF695CB260D775E885DB62

Function 6E11AF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E11AF75
VariantInit.OLEAUT32(?), ref: 6E11AF7C
VariantInit.OLEAUT32(?), ref: 6E11AF83
VariantCopy.OLEAUT32(?,?), ref: 6E11B00D
VariantClear.OLEAUT32(?), ref: 6E11B027
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E11B19C
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E11B1AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 6E11B1C5
_memmove.LIBCMT ref: 6E11B1E6
SafeArrayUnaccessData.OLEAUT32(?), ref: 6E11B1EF
VariantClear.OLEAUT32(?), ref: 6E11B237
VariantClear.OLEAUT32(?), ref: 6E11B23E
VariantClear.OLEAUT32(?), ref: 6E11B245
VariantClear.OLEAUT32(?), ref: 6E11B29D
VariantClear.OLEAUT32(?), ref: 6E11B2A4
VariantClear.OLEAUT32(?), ref: 6E11B2AB

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$BoundData$AccessCopyUnaccess_memmove
String ID:
API String ID: 3403836469-0
Opcode ID: e9ec96621ba8eb00d11499a7d7d8478a1e0bbc186a870f0ba4a7dcb03de9a5a2
Instruction ID: e250049c124caf017f5a5826a86f20ab9d47badc1716cf0e22667bf3be542e67
Opcode Fuzzy Hash: e9ec96621ba8eb00d11499a7d7d8478a1e0bbc186a870f0ba4a7dcb03de9a5a2
Instruction Fuzzy Hash: 23C158B26083429FD700DFA8C884D9BB7E9FB89304F10896DF659CB254D730E985DB92

Function 6E12D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E12D4B3
VariantInit.OLEAUT32 ref: 6E12D4C5
VariantInit.OLEAUT32(?), ref: 6E12D4CC
_malloc.LIBCMT ref: 6E12D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E12D58B
SafeArrayCreateVector.OLEAUT32 ref: 6E12D5A6
SafeArrayAccessData.OLEAUT32 ref: 6E12D5B8

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayInitSafeVariant$CreateVector$AccessData_malloc
String ID:
API String ID: 1552365394-0
Opcode ID: 5b4b73994a2e81229615e927413aa71e61b31d0f0bed4af84cfeecd9840fda42
Instruction ID: 43b4fac0973fc1f7bd932af5e00eab17b1fcdc91083ad619df556e895cd97f34
Opcode Fuzzy Hash: 5b4b73994a2e81229615e927413aa71e61b31d0f0bed4af84cfeecd9840fda42
Instruction Fuzzy Hash: 8FB154B66083419FD314CF68C880A5BB7F9FF89314F14896DE8958B250EB70E985CF92

Function 6E12D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E12D4B3
VariantInit.OLEAUT32 ref: 6E12D4C5
VariantInit.OLEAUT32(?), ref: 6E12D4CC
_malloc.LIBCMT ref: 6E12D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E12D58B
SafeArrayCreateVector.OLEAUT32 ref: 6E12D5A6
SafeArrayAccessData.OLEAUT32 ref: 6E12D5B8
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12D601
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12D63E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$InitVariant$CreateElementVector$AccessData_malloc
String ID:
API String ID: 2723946344-0
Opcode ID: ad288f1ca2b98adfa0caf5d76aaf514067dd09e2bd1bcac03463ea389c0f513c
Instruction ID: 2df57cf74e0c91fb2da9971fdbc371c40bccda65067d924f814f1058f0e74d79
Opcode Fuzzy Hash: ad288f1ca2b98adfa0caf5d76aaf514067dd09e2bd1bcac03463ea389c0f513c
Instruction Fuzzy Hash: 669155B56083419FD304CFA8C880A5BB7F9BF89308F14896DE8958B251E774E885CF92

Function 6E1244C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E1244FF
VariantInit.OLEAUT32(?), ref: 6E124505
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E124516
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E124551
VariantClear.OLEAUT32(?), ref: 6E12455A
SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6E124579
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E124594
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6E1245B5
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6E1245CE
std::tr1::_Xweak.LIBCPMT ref: 6E12475A
SafeArrayDestroy.OLEAUT32(?), ref: 6E124777
VariantClear.OLEAUT32(?), ref: 6E124787
VariantClear.OLEAUT32(?), ref: 6E12478D

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$DestroyXweakstd::tr1::_
String ID:
API String ID: 1304965753-0
Opcode ID: 7a968b2a64ab4c6eec75956295fda8a76e825d243b3d33cf467f112fc2b196fd
Instruction ID: 524e338f2b43057df5df409788094029b6e143a37b750cc4febc9f7e0682441f
Opcode Fuzzy Hash: 7a968b2a64ab4c6eec75956295fda8a76e825d243b3d33cf467f112fc2b196fd
Instruction Fuzzy Hash: F3A12B75A002069FDB54DBE4CD84EAFB7B9BF8D710F144629E506AB780CA34F981DB60

Function 6E12BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E12BF3D
VariantInit.OLEAUT32(?), ref: 6E12BF4A
VariantInit.OLEAUT32(?), ref: 6E12BF50
VariantInit.OLEAUT32(?), ref: 6E12BF56
VariantInit.OLEAUT32 ref: 6E12C04D
VariantCopy.OLEAUT32(?,?), ref: 6E12C054
VariantInit.OLEAUT32 ref: 6E12C085
VariantCopy.OLEAUT32(?,?), ref: 6E12C08C
VariantClear.OLEAUT32(?), ref: 6E12C118
VariantClear.OLEAUT32(?), ref: 6E12C11E
VariantClear.OLEAUT32(?), ref: 6E12C124
VariantClear.OLEAUT32(?), ref: 6E12C12A

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 6f4978002b5586272e308795dc788de5aa721ca9cba4e96e6b27f7207a5244d7
Instruction ID: 9af7b7fa0a4072585c5f1c5539c9c41f0a70913c535d0071488941e031c8b679
Opcode Fuzzy Hash: 6f4978002b5586272e308795dc788de5aa721ca9cba4e96e6b27f7207a5244d7
Instruction Fuzzy Hash: 7D818A71900219AFDB04DFE8CC84FEEBBB9BF49304F148569E505AB240DB30EA85DB94

Function 6E1264D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E12650C
VariantInit.OLEAUT32(?), ref: 6E126519
VariantInit.OLEAUT32(?), ref: 6E126520
SafeArrayCreateVector.OLEAUT32(0000000C), ref: 6E126531
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12656D
VariantClear.OLEAUT32(?), ref: 6E126576
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E1265B6
VariantClear.OLEAUT32(?), ref: 6E1265BF
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E126666
VariantClear.OLEAUT32(?), ref: 6E126677
VariantClear.OLEAUT32(?), ref: 6E12667E
VariantClear.OLEAUT32(?), ref: 6E126685

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: 46b218e25b1a69ef6bc8724a04110724a13a51bda593e0b68b66ff55e724b89b
Instruction ID: b4c7a0e7718803097342238313c4076dc4c77f791d7d8fadc0f6f72506093a74
Opcode Fuzzy Hash: 46b218e25b1a69ef6bc8724a04110724a13a51bda593e0b68b66ff55e724b89b
Instruction Fuzzy Hash: 4A515CB25187059FC700DF64C880A5BBBF8EFDA700F10892DF96587250EB35E946DB92

Function 6E12CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E12CBCA
VariantInit.OLEAUT32(?), ref: 6E12CBD3
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E12CBE4
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E12CBF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12CC0D
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6E12CC39
VariantClear.OLEAUT32(?), ref: 6E12CC42
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6E12CC5D
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6E12CC77
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E12CCEC
VariantClear.OLEAUT32(?), ref: 6E12CCFC
VariantClear.OLEAUT32(?), ref: 6E12CD02

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$Destroy
String ID:
API String ID: 3548156019-0
Opcode ID: b51ab3c68d0ea855814b3bf337dbf75ab714a8673dea531c82afb28344fb5b05
Instruction ID: d90ee01d3722eaebdbf70d349273210448695b7d4c0dacec3648a4c58ab47f70
Opcode Fuzzy Hash: b51ab3c68d0ea855814b3bf337dbf75ab714a8673dea531c82afb28344fb5b05
Instruction Fuzzy Hash: D9511DB5D0024A9FDB00DFA4CC84EEEBBB8FF49710F14816AEA15A7241D770A945DBA0

Function 6E11A350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E11A393
VariantInit.OLEAUT32(?), ref: 6E11A39A
VariantInit.OLEAUT32(?), ref: 6E11A3A1
VariantCopy.OLEAUT32(?,?), ref: 6E11A3EF
VariantClear.OLEAUT32(?), ref: 6E11A409
VariantClear.OLEAUT32(?), ref: 6E11A50A
VariantClear.OLEAUT32(?), ref: 6E11A511
VariantClear.OLEAUT32(?), ref: 6E11A518
VariantClear.OLEAUT32(?), ref: 6E11A55E
VariantClear.OLEAUT32(?), ref: 6E11A565
VariantClear.OLEAUT32(?), ref: 6E11A56C

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$Init$Copy
String ID:
API String ID: 3214764494-0
Opcode ID: 6ad7d9b1dde71ba8ec801f8fcfb5705f84e221520e7a2cd4f2616310100adbcf
Instruction ID: 461a5ddae762fa8a07331ca4db4fb6796c4c9c365c02aa5b7ecfde919a611643
Opcode Fuzzy Hash: 6ad7d9b1dde71ba8ec801f8fcfb5705f84e221520e7a2cd4f2616310100adbcf
Instruction Fuzzy Hash: FA715B726083419FD300DFA9C880A9BBBE8FF89710F14896DFA55CB290D730E945DB62

Function 6E12CD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6E12CD5C
VariantInit.OLEAUT32(?), ref: 6E12CD65
VariantInit.OLEAUT32(?), ref: 6E12CD6B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12CD76
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12CDAA
VariantClear.OLEAUT32(?), ref: 6E12CDB7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E12D2A5
VariantClear.OLEAUT32(?), ref: 6E12D2B5
VariantClear.OLEAUT32(?), ref: 6E12D2BB
VariantClear.OLEAUT32(?), ref: 6E12D2C1

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 7f67330ffb2b27953dec573991864b5f526c4c2b7bff712cbefe182f0cf9efc6
Instruction ID: 7d0119726e8e3b03542743b7faeb960df2bde535f1c68f81424893dd9f5fed6b
Opcode Fuzzy Hash: 7f67330ffb2b27953dec573991864b5f526c4c2b7bff712cbefe182f0cf9efc6
Instruction Fuzzy Hash: EF12F575615705AFC758DBD8DD84DAAB3B9BF8D300F144668F50AABB91CA30F841CB50

Function 6E1266A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6E1266DB
VariantInit.OLEAUT32 ref: 6E1266EA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E126700
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12673A
VariantClear.OLEAUT32(?), ref: 6E126747
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E126787
VariantClear.OLEAUT32(?), ref: 6E126794
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E126849
VariantClear.OLEAUT32(?), ref: 6E12685A
VariantClear.OLEAUT32(?), ref: 6E126861

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$ElementInit$CreateDestroyVector
String ID:
API String ID: 551789342-0
Opcode ID: f7ac39995a74838cf05777a1b4b257e14d37d23753d83833d208f3745550c506
Instruction ID: 2c30d8d1b409b02b44c7026a527aa721c89034227b5a46cb27fbc73550163442
Opcode Fuzzy Hash: f7ac39995a74838cf05777a1b4b257e14d37d23753d83833d208f3745550c506
Instruction Fuzzy Hash: 4E516B761087069FC700CF64C844B9BBBE9EF89714F108A6DF9559B250EB30E945DBA2

Function 6E12840E Relevance: 13.8, APIs: 9, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E1284BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E1284D2
SafeArrayGetElement.OLEAUT32 ref: 6E12850A

Part of subcall function 6E123A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E123B71
Part of subcall function 6E123A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E123B83

Part of subcall function 6E1269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E126A08
Part of subcall function 6E1269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E126A15
Part of subcall function 6E1269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E126A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Part of subcall function 6E11DFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E11DFF6
Part of subcall function 6E11DFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E11E003
Part of subcall function 6E11DFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E11E02F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID:
API String ID: 959723449-0
Opcode ID: 7d2e614608e21682d1e2b15266d387a02510df6359df3019fd16fe9e9c7c7319
Instruction ID: 7818df1bd73be8d331376d7e2019222d5e3bc02343f8a75913a4e8408e4d3e6e
Opcode Fuzzy Hash: 7d2e614608e21682d1e2b15266d387a02510df6359df3019fd16fe9e9c7c7319
Instruction Fuzzy Hash: 58C15F70A002059FDB50DFA8CC94FAAB7B9AF55304F2085A8E519EB286DB71EDC1DB50

Function 6E124170 Relevance: 13.8, APIs: 9, Instructions: 277COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E1241AF
VariantInit.OLEAUT32(?), ref: 6E1241B5
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E1241C0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E1241F5
VariantClear.OLEAUT32(?), ref: 6E124201
std::tr1::_Xweak.LIBCPMT ref: 6E124450
SafeArrayDestroy.OLEAUT32(?), ref: 6E12446D
VariantClear.OLEAUT32(?), ref: 6E12447D
VariantClear.OLEAUT32(?), ref: 6E124483

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 57937520256c5cc601195c8c47ee4b43718f9e02ed3bbb09176bcf44bc4e50ea
Instruction ID: 84c538ccda805c3356898725e0e13fd099556aae74da60c2530db599f39353db
Opcode Fuzzy Hash: 57937520256c5cc601195c8c47ee4b43718f9e02ed3bbb09176bcf44bc4e50ea
Instruction Fuzzy Hash: 3BB12675A006499FCB14DF98CC84DEAB7F9BF8D310F158568E50AAB790DA34F841DB60

Function 6E12C530 Relevance: 13.8, APIs: 9, Instructions: 259COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E12C56F
VariantInit.OLEAUT32(?), ref: 6E12C575
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12C580
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E12C5B5
VariantClear.OLEAUT32(?), ref: 6E12C5C1
std::tr1::_Xweak.LIBCPMT ref: 6E12C7D4
SafeArrayDestroy.OLEAUT32(?), ref: 6E12C7F1
VariantClear.OLEAUT32(?), ref: 6E12C801
VariantClear.OLEAUT32(?), ref: 6E12C807

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 74994db025a3235f1e6eb4e09d3fbb904095eafdbd62937ad1c5d66fc9beb9b9
Instruction ID: 724e11966b1eb7c8d8aed54e353c5a8524d2ac242cae5c29621428eb36e8e76a
Opcode Fuzzy Hash: 74994db025a3235f1e6eb4e09d3fbb904095eafdbd62937ad1c5d66fc9beb9b9
Instruction Fuzzy Hash: 16A139756006099FCB14DF98CC84DEAB7F9BF8D310F158568E606AB790DA34F881DB60

Function 6E126880 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E1268B2
VariantInit.OLEAUT32(?), ref: 6E1268BD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E1268D7
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E1268FD
VariantClear.OLEAUT32(?), ref: 6E126909
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E126923
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E126981
VariantClear.OLEAUT32(?), ref: 6E12699E
VariantClear.OLEAUT32(?), ref: 6E1269A4

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$ElementInit$CreateDestroyVector
String ID:
API String ID: 3529038988-0
Opcode ID: d2607c2f1f41255fac6eb7fa72e9ec90572de78e398a604250805a60b8104663
Instruction ID: 6a4f03470a8de1ee1c37884285184b04aedcb9677a2d577ac90eebc8a2da85b1
Opcode Fuzzy Hash: d2607c2f1f41255fac6eb7fa72e9ec90572de78e398a604250805a60b8104663
Instruction Fuzzy Hash: F04161B2900609DFDB00DFA4C884AEFBBB8FF59710F148129E505A7340EB75A945DBA1

Function 6E11C020 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E11C074
VariantInit.OLEAUT32(?), ref: 6E11C07B
VariantInit.OLEAUT32(?), ref: 6E11C082
VariantInit.OLEAUT32(?), ref: 6E11C089
VariantClear.OLEAUT32(?), ref: 6E11C312
VariantClear.OLEAUT32(?), ref: 6E11C319
VariantClear.OLEAUT32(?), ref: 6E11C320
VariantClear.OLEAUT32(?), ref: 6E11C327

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 905788289e362075715ab2dea6f048a86231d4263f953ba01a20f128841dd9cb
Instruction ID: 3523c53cdb0229364970cc1709810dfd8a7ec4d611e81e48a0a2af497293ac14
Opcode Fuzzy Hash: 905788289e362075715ab2dea6f048a86231d4263f953ba01a20f128841dd9cb
Instruction Fuzzy Hash: E0C156716087019FC304CFA8C88099BB7E9BFD9704F248A6DF5989B364D735E885DB92

Function 6E126B10 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6E126C8B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6E126CA6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6E126CC7

Part of subcall function 6E125760: std::tr1::_Xweak.LIBCPMT ref: 6E125769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E126CF9

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6E126F13
InterlockedCompareExchange.KERNEL32(6E1AC6A4,45524548,4B4F4F4C), ref: 6E126F34

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: 1d495dce0598ae44624deba568cc192321806f151114f8033b009eb229c14bd9
Instruction ID: a05ac6075116a6c1066ce5c85ab35ed60c45ff39acc8c3c6496a4869a4ce26ae
Opcode Fuzzy Hash: 1d495dce0598ae44624deba568cc192321806f151114f8033b009eb229c14bd9
Instruction Fuzzy Hash: DBD1A2B1A102099FDB10CFE4CC90BEE77B9AF45304F158879E515AB284D774E9C4EBA1

Function 6E1116B0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::tr1::_Xweak.LIBCPMT ref: 6E111B53
std::_Xinvalid_argument.LIBCPMT ref: 6E111B5D
std::exception::exception.LIBCMT ref: 6E111C43
__CxxThrowException@8.LIBCMT ref: 6E111C58

Strings

invalid vector<T> subscript, xrefs: 6E111B58

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentXweak_mallocstd::_std::exception::exceptionstd::tr1::_
String ID: invalid vector<T> subscript
API String ID: 3098024973-3016609489
Opcode ID: 9bf9f93b39f5acdb0ba42bbbf116127c07d57fe323e3ef2483291b599f459cd8
Instruction ID: da59a4aba784027d23dca87511a2aa9ba2fa9a17c77e072bc812ea2a6d8a59af
Opcode Fuzzy Hash: 9bf9f93b39f5acdb0ba42bbbf116127c07d57fe323e3ef2483291b599f459cd8
Instruction Fuzzy Hash: 802228759007499FCB10CFE4C4909EEFBF9BF44314F118A6ED55AAB250E734AA89DB80

Function 6E11DB30 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6E1231EC), ref: 6E11DB5E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E11DB6E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E11DB82
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E11DBF1
VariantClear.OLEAUT32(?), ref: 6E11DBFB

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Variant$ClearCreateDestroyElementInitVector
String ID:
API String ID: 182531043-0
Opcode ID: 73c840c8d336e2314e8f7d7b089f42258ab95fcde3113ac032b68fe60c2aa12f
Instruction ID: 215828adab6649fd4e8b7606fb882ff7149a5f7348d3de386a8fab8896d5cc18
Opcode Fuzzy Hash: 73c840c8d336e2314e8f7d7b089f42258ab95fcde3113ac032b68fe60c2aa12f
Instruction Fuzzy Hash: CA318F7AA04605AFDB00DF94C844EEFB7B9FF9A710F11816AE911AB300D734A801DFA0

Function 6E16A42D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__CRT_INIT@12.LIBCMT ref: 6E16A463
__CRT_INIT@12.LIBCMT ref: 6E16A493
__CRT_INIT@12.LIBCMT ref: 6E16A4B3

Strings

a0, xrefs: 6E16A4FF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: T@12
String ID: a0
API String ID: 456891419-3188653782
Opcode ID: 6dc1def6d48eefc55a34149cb8e0165c141f15dd1cf743c96dc8b35f72bc5ced
Instruction ID: a691c295afa25765a289dadeaa543d9f65d67d38ba28ba34e9665c6f268d12ca
Opcode Fuzzy Hash: 6dc1def6d48eefc55a34149cb8e0165c141f15dd1cf743c96dc8b35f72bc5ced
Instruction Fuzzy Hash: 0911DA70D002776ADB709AF64C5CFAFBBBCAF92754F148418E921E2144D734C9D1EAA0

Function 6E169BB5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E169BCF

Part of subcall function 6E169D66: __FF_MSGBANNER.LIBCMT ref: 6E169D7F
Part of subcall function 6E169D66: __NMSG_WRITE.LIBCMT ref: 6E169D86
Part of subcall function 6E169D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E169DAB

std::exception::exception.LIBCMT ref: 6E169C04
std::exception::exception.LIBCMT ref: 6E169C1E
__CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: a6ba91484d0553d69692cc411305559e837caec9b61eb65d27cbb4f31f0f7864
Instruction ID: c467563137a29d682a85477e18c89030085a419b2d675e904c23c48a1acee1d5
Opcode Fuzzy Hash: a6ba91484d0553d69692cc411305559e837caec9b61eb65d27cbb4f31f0f7864
Instruction Fuzzy Hash: CFF0F47140055DABDF14DBD8CC34EEE7BBCBB41718F140819D402A6284DB708AD1B750

Function 6E116C60 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6E116C73
SafeArrayAccessData.OLEAUT32(00000000,6E116C3C), ref: 6E116C87
_memmove.LIBCMT ref: 6E116C9A
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E116CA3

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_memmove
String ID:
API String ID: 3147195435-0
Opcode ID: 4b047db69f3c31a58973dd5743f56759eb3f9481e16a6fab59a0ff0dd6fa7d94
Instruction ID: 5c271763a72d099f05c6a61b6f00901c80b531c6e4bb188c024fef0de1df91fc
Opcode Fuzzy Hash: 4b047db69f3c31a58973dd5743f56759eb3f9481e16a6fab59a0ff0dd6fa7d94
Instruction Fuzzy Hash: 78F05E75214219BBEB109F91DC89FDB3BACEF86764F00C025FA188A240E771E540ABA1

Function 6E131FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E132206
__CxxThrowException@8.LIBCMT ref: 6E132221

Part of subcall function 6E136480: __CxxThrowException@8.LIBCMT ref: 6E136518
Part of subcall function 6E136480: __CxxThrowException@8.LIBCMT ref: 6E136558

Strings

ILProtector, xrefs: 6E132045

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw$_mallocstd::exception::exception
String ID: ILProtector
API String ID: 84431791-1153028812
Opcode ID: 40714e98458e14a398f8cf7be25370e247ca3a866f37e3a7a9e24c2478f6e42e
Instruction ID: 96201990efb8d3848168db0eb276a47b51144561ee6ad9a3b4f171315a394121
Opcode Fuzzy Hash: 40714e98458e14a398f8cf7be25370e247ca3a866f37e3a7a9e24c2478f6e42e
Instruction Fuzzy Hash: 0F7139B5904658DFCB14CFA8C844BEEBBB8FF49300F10859AD41AA7340DB306A85DF91

Function 6E119110 Relevance: 5.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6E11913B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6E11915C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6E119170
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6E119191

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 6932d7b25cb928c2aa565770106c804dad09e48bd7ce5420d69c32deddae5c29
Instruction ID: 20e09e8e46e92154f23f059dc5e4aaf06db163bd0a389245e0817bdba20d32fc
Opcode Fuzzy Hash: 6932d7b25cb928c2aa565770106c804dad09e48bd7ce5420d69c32deddae5c29
Instruction Fuzzy Hash: C34151769042099FCB04DFD5C9948EFBBB8FF59210B21856ED926AB300D730AA45DFE1

Function 6E118E20 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6E118E89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 6E118EAD
_memset.LIBCMT ref: 6E118ED2

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID:
API String ID: 3751686142-0
Opcode ID: d050c9049769d48d7555f7b8c878e88b189a90374d4457da43d04c44089e894c
Instruction ID: 5858c71bfe59c7063aa37d4e7cbfb8021b8019084cf584e4be7d9c6f75842d5e
Opcode Fuzzy Hash: d050c9049769d48d7555f7b8c878e88b189a90374d4457da43d04c44089e894c
Instruction Fuzzy Hash: 9C516D74604246AFC744CF98C490EDAB7B6FF49304F20C569E91A9B381D731ED95DB90

Function 6E11D920 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6E11D949
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6E11D96C
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E11D9CF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: a3be395773bb94174ae3721fb10a8d96af8a2a2d04aea0c9095cd8fb16964e69
Instruction ID: 090e53de3ca89906b18b69809674cef9c184ea36173519ef58021961f38e5888
Opcode Fuzzy Hash: a3be395773bb94174ae3721fb10a8d96af8a2a2d04aea0c9095cd8fb16964e69
Instruction Fuzzy Hash: A121A135200619AFEB11CF94CC94FEB77A8EF8A701F1080A8E945DB244D771ED41EBA1

Function 6E11D9F0 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,?), ref: 6E11DA16
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6E11DA33
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E11DA9E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: b5cc8ae868a6e313efb216aa003a6dd8f95bba7c2851b39ee1f885a5f51895db
Instruction ID: a9d4acd0e426bed9f7650ec2521863c9154e20b614e79dd5dd587aa3ed3f2787
Opcode Fuzzy Hash: b5cc8ae868a6e313efb216aa003a6dd8f95bba7c2851b39ee1f885a5f51895db
Instruction Fuzzy Hash: 09214A75208606AFE700CFE9D890BDB77A8AF5A301F204469EA05CB240E771E941EF60

Function 6E12DB10 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12DB2D
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E12DB45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E12DBA2

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 6448e0675e2f725e8eded47d23deb2089de05a554899fae3cf42ba7375dad709
Instruction ID: d3765c9175df8ddeb432cd60cb506761332346212fe8f83e592af08d934a0ff7
Opcode Fuzzy Hash: 6448e0675e2f725e8eded47d23deb2089de05a554899fae3cf42ba7375dad709
Instruction Fuzzy Hash: D3119A75641205AFD700DFA9C898F9ABBB8FF5A311F0481A9E908DB301D731A881DFA0

Function 6E133EB0 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E134042

Part of subcall function 6E169533: std::exception::_Copy_str.LIBCMT ref: 6E16954E

__CxxThrowException@8.LIBCMT ref: 6E134059

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 2813683038-0
Opcode ID: bf1c29191a0cdc4c418768af82b3b3fcfa2fe8ce2c590cb07ae514c437b3e4bb
Instruction ID: 969f882dd87679bd0b0b46391c3ad6167742a23e3af43f90df26313d6cbaf8d9
Opcode Fuzzy Hash: bf1c29191a0cdc4c418768af82b3b3fcfa2fe8ce2c590cb07ae514c437b3e4bb
Instruction Fuzzy Hash: 6D91DFB19087009FD700CFD9C840B9EFBF8FF90344F25896AE5159B290E7B1D985AB96

Function 6E11BDF7 Relevance: 3.2, APIs: 2, Instructions: 200COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E11BE2D
IsBadReadPtr.KERNEL32(00000000,00000008,?,?,?), ref: 6E11BE6D

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroyReadSafe
String ID:
API String ID: 616443815-0
Opcode ID: cc316f5071bec0c6a2444fec674f7c9612f1e0c02de2ffc9251ae699837aab77
Instruction ID: 72068c8e0748bc003b772b8a0a2d96f1ad3e262c2bb4293e25e7862bc7ed59e4
Opcode Fuzzy Hash: cc316f5071bec0c6a2444fec674f7c9612f1e0c02de2ffc9251ae699837aab77
Instruction Fuzzy Hash: 6B71E27090C6979EDB51CFB88850AD9BBB1AB1A220F24836CD9A5973DDC331D4C2DB50

Function 6E1162C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E116466

Part of subcall function 6E169533: std::exception::_Copy_str.LIBCMT ref: 6E16954E

__CxxThrowException@8.LIBCMT ref: 6E11647D

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: 9cbb6caa7ee9afa8c644edb7b888fe86e67f3204e06eb7c89f6c2db496f5a4a1
Instruction ID: f2e915e04489a69c48e1e1f0ca308ef56572221aefa6cef6f5a7bbcd1d5577c3
Opcode Fuzzy Hash: 9cbb6caa7ee9afa8c644edb7b888fe86e67f3204e06eb7c89f6c2db496f5a4a1
Instruction Fuzzy Hash: 17518AB19183409FD300CF98C881A8ABBE8BB85740F50493EF9598B390E771D984EB92

Function 6E12D2E0 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E12D3E8
__CxxThrowException@8.LIBCMT ref: 6E12D3FF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 7902df4a38b25ca9b17f76d6881e9d3528eb8b0aa4950a665f1ca573b82bfc50
Instruction ID: 278110123ae1efb4b01c6a1163969d9d7c025ad0bc7712ef254fc001dd31134a
Opcode Fuzzy Hash: 7902df4a38b25ca9b17f76d6881e9d3528eb8b0aa4950a665f1ca573b82bfc50
Instruction Fuzzy Hash: AF313BB55087059FC704CF68C88099ABBF4FF89714F608A2EF4558B350E731E986DB92

Function 6E118400 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E118449
__CxxThrowException@8.LIBCMT ref: 6E11845E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: c226b1d741735eda67df9337cbd68016c3e951e5976305721624dbf2f6812a43
Instruction ID: d64189bb6f801d5e3825e6a162bf0c624a3e7432dbaea1ecd0b58b30acb4de97
Opcode Fuzzy Hash: c226b1d741735eda67df9337cbd68016c3e951e5976305721624dbf2f6812a43
Instruction Fuzzy Hash: E50144755042089FC708DF94D4A0CDABBB5EF54300B50C5ADDD1A4B750EB30EA95DB95

Function 06700000 Relevance: 2.6, Strings: 2, Instructions: 104COMMON

Download Yara Rule

Strings

TJbq, xrefs: 0670008F
Te]q, xrefs: 06700077

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: 87d560497a034d877a779c5aeed269a0a366e830132fed08674bb0f54438e8f1
Instruction ID: 265e62dfaa79a9aa48c09da1ed79228dead6e270bef925edba941aeb7e6fca42
Opcode Fuzzy Hash: 87d560497a034d877a779c5aeed269a0a366e830132fed08674bb0f54438e8f1
Instruction Fuzzy Hash: 7931D471A192914FC706AFB4886976E7FF2AF86210F0904DAC445DB3E2D9249D09C7A2

Function 6E118D60 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,6E118C13,?,6E118CD3,?,6E118C13,00000000,?,?,6E118C13,?,?), ref: 6E118D73
LeaveCriticalSection.KERNEL32(?,?,?,6E118CD3,?,6E118C13,00000000,?,?,6E118C13,?,?), ref: 6E118D8C

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 5e69d6d8d9e9366bdc8533420aa10ccae2524f820cddb1200b9c0ab37fdbe72c
Instruction ID: 65df5ad5cc1256b272e897ea000d0994a59f8cd489ade930d987145ff8b7f715
Opcode Fuzzy Hash: 5e69d6d8d9e9366bdc8533420aa10ccae2524f820cddb1200b9c0ab37fdbe72c
Instruction Fuzzy Hash: AE211975204209AF8B04CF89D890DAFB3BAFFC9210B108559F91587340CB30EE16DBA1

Function 06700048 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

TJbq, xrefs: 0670008F
Te]q, xrefs: 06700077

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: 1fa7f434bb3aebf8fdca95210a9f4c76f234d50a640c2cfa1c7919b308c94d02
Instruction ID: d891f518f5fbd53d95e1134ba44b5d4d656a78c970eab299406e984fad19ec43
Opcode Fuzzy Hash: 1fa7f434bb3aebf8fdca95210a9f4c76f234d50a640c2cfa1c7919b308c94d02
Instruction Fuzzy Hash: 4A118170B101155FCB15EBB99494B7FBAF6EBC8610F50486DD50AAB3C0CE21AD058BE6

Function 6E118BC0 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6E116890,?), ref: 6E118BDD
LeaveCriticalSection.KERNEL32(?), ref: 6E118C23

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 80a26fe84728454389bc3e6997460bb391d0516e79bbc21d20d3241ce56a6080
Instruction ID: 6964c36b839ebd3494e01c7951dc33bba91695467765aea841a312cb315b6088
Opcode Fuzzy Hash: 80a26fe84728454389bc3e6997460bb391d0516e79bbc21d20d3241ce56a6080
Instruction Fuzzy Hash: 08019A71704104AFC740DFA8C88099BF3A8FB992007108669E905C7300DB32EE91D7D5

Function 05B8BF44 Relevance: 1.8, APIs: 1, Instructions: 297processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05B8C21F

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 881bd09ee2f14728be4dc7e0486671335633a821151d3d988edd3bc222345ab1
Instruction ID: 44a89780a65564923e765220eec6cf64d907df13ef50b0a25e898a4f558b74f0
Opcode Fuzzy Hash: 881bd09ee2f14728be4dc7e0486671335633a821151d3d988edd3bc222345ab1
Instruction Fuzzy Hash: 1AB126B0D002198FDB10EFA8C885BEDBBF1FF09304F14A1A9D859AB280D774A985CF55

Function 05B8BF50 Relevance: 1.8, APIs: 1, Instructions: 295processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 05B8C21F

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 74e9aa682175e214ef666a37d9c0992a2293f15c7bc09f246bcd5d9430dfbb35
Instruction ID: 7a00d8b5850f02ae2b0f4f87ebd303b9265fa7408c5720e26f9f383093580082
Opcode Fuzzy Hash: 74e9aa682175e214ef666a37d9c0992a2293f15c7bc09f246bcd5d9430dfbb35
Instruction Fuzzy Hash: 5BB126B0D042598FDB10EFA8C885BEDBBF1FF09304F14A1A9D859AB280D774A985CF55

Function 6E12E2CE Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 45447ed88c68d95a3b145da9d191d5f249fbd69f428b9e7249fc3453b9a525d9
Instruction ID: a35503dda7b0090849c10da75b42c8b70dd7403fb0210d42a601c315b4860a6d
Opcode Fuzzy Hash: 45447ed88c68d95a3b145da9d191d5f249fbd69f428b9e7249fc3453b9a525d9
Instruction Fuzzy Hash: DA819DB19083818FEB21DFF8C891B9EB7E4BB51304F25497DD2598B290D77189C4AB53

Function 05B8C670 Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05B8C745

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 9d8e157d22aa417ec21c65b8b52b5113b05cefc157477bc0d87a4a089386fc69
Instruction ID: de24fffa24987667a3ed498d7eb9cd0780a747a5dc3027234fe2cb03b0701b99
Opcode Fuzzy Hash: 9d8e157d22aa417ec21c65b8b52b5113b05cefc157477bc0d87a4a089386fc69
Instruction Fuzzy Hash: A64159B9D002589FCB10DFA9D984AAEFBF5BB49310F14906AE818BB210D375A945CF64

Function 05B8C668 Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 05B8C745

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 5bb97f1fecaa2947aa73987a24f52de0ab1773ba3a908a85db9d98a0222e9573
Instruction ID: eea9ab6c368b366963660f5cd7216e1d300d1a1ebf58a333b180b94962ddbb63
Opcode Fuzzy Hash: 5bb97f1fecaa2947aa73987a24f52de0ab1773ba3a908a85db9d98a0222e9573
Instruction Fuzzy Hash: 53416AB9D00258DFCB10DFA9D984AEDFBF1BB09310F24946AE818BB210D375A945CF64

Function 05B8C550 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05B8C5FC

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b54ae1301daac6af57bdf630d14b61b483197e7d90cba49063a8fdea67c152d1
Instruction ID: 7020c333f40aee739849748c5b46274c728269736c29bc7a0ddf77942eec9497
Opcode Fuzzy Hash: b54ae1301daac6af57bdf630d14b61b483197e7d90cba49063a8fdea67c152d1
Instruction Fuzzy Hash: 653155B9D012589FCF10DFA9D984A9EFBF5FB19310F10A02AE818BB210D375A945CF64

Function 05B8C548 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 05B8C5FC

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 280b581bbecbe2fbfd770c678d5a5035a2db65d81217950a247244cc25a9b9ce
Instruction ID: 761497a0d6b1b9142c23776946db42039234aaede22b0a4f750f70ee7ab49867
Opcode Fuzzy Hash: 280b581bbecbe2fbfd770c678d5a5035a2db65d81217950a247244cc25a9b9ce
Instruction Fuzzy Hash: BC4158B9D012589FCF10DFA9D984A9DFBB1FF19310F10A05AE818BB210D375A945CF64

Function 6E117140 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 6E132820: _malloc.LIBCMT ref: 6E132871

std::tr1::_Xweak.LIBCPMT ref: 6E1171D2

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xweak_mallocstd::tr1::_
String ID:
API String ID: 4085767713-0
Opcode ID: 74a0ee6d5fa8f0a9fda13318ca562071a6cc6a4b26b459bcf783ff7d8fa40ffc
Instruction ID: b8b467f2023b03eff13d92a972927e2a15569ffd0c69509eb074c175367cd228
Opcode Fuzzy Hash: 74a0ee6d5fa8f0a9fda13318ca562071a6cc6a4b26b459bcf783ff7d8fa40ffc
Instruction Fuzzy Hash: DE31A2B4A0474A9FCB10CFA9C890AABB7F9FF49204F208A5DE81597780D331E945DB50

Function 05B8C450 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05B8C4DB

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 22d50d38a369a712e9f5db393f29fbb87dd6b0440a0558656e287fb3aed42c92
Instruction ID: 9d04d0b53f434dae15b1b883e69a794088ab4951804a47ec3a9049df49885465
Opcode Fuzzy Hash: 22d50d38a369a712e9f5db393f29fbb87dd6b0440a0558656e287fb3aed42c92
Instruction Fuzzy Hash: 4E3189B5D012589FCB10DFA9E584AEEFBF4AB09310F24906AE819B7310D779A944CF64

Function 05B8C449 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 05B8C4DB

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 91033288d586bdb6f627907618d2fd3b3d388d70e93c814a5c7349728c77dae7
Instruction ID: 59cccd5367580d55e6aae69d477235db1e7d1b78b402ddf93e1f0199b2ab34e0
Opcode Fuzzy Hash: 91033288d586bdb6f627907618d2fd3b3d388d70e93c814a5c7349728c77dae7
Instruction Fuzzy Hash: 75319BB5D012589FCB10DFA9E584AEDFBF0BB09310F24906AE419B7310D779A944CF64

Function 05B8C7C8 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05B8C845

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 0f03e55f1e12c1d5fd1e3af8b78f922fc5a1c4194c2876281427117d64a6dde7
Instruction ID: 4ff7476c67808839ccd154fc850554dd0e755bdbd683b2fbb85a915989bd3601
Opcode Fuzzy Hash: 0f03e55f1e12c1d5fd1e3af8b78f922fc5a1c4194c2876281427117d64a6dde7
Instruction Fuzzy Hash: F93187B4D012589FCB14DFA9E984AAEFBF5FB09310F10906AE818B7310D775A941CFA4

Function 05B8C7C0 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 05B8C845

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 212974290e410d38e7ea92c56191b0bf8c083e99f5e309b68ef4159e38fdc114
Instruction ID: 743d10e674a7c238bb43a75eb99720853b3f99e04bcab832e8f09dbbcb892dda
Opcode Fuzzy Hash: 212974290e410d38e7ea92c56191b0bf8c083e99f5e309b68ef4159e38fdc114
Instruction Fuzzy Hash: FF31ABB8D012189FCB10DFA9D984AADFBF1FB09310F10905AE418B7310D774A945CF64

Function 6E12EA40 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

SysAllocString.OLEAUT32 ref: 6E12EA8D

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: f9a3719af8348aa454806c7a1ef65b82bb8b1589d05a73e3759202b2bf281778
Instruction ID: 693855aae7192e1478133cca8c727ed57a357ea78d747eaadd49aa2cb3b918f8
Opcode Fuzzy Hash: f9a3719af8348aa454806c7a1ef65b82bb8b1589d05a73e3759202b2bf281778
Instruction Fuzzy Hash: A30184B1904A55EFD711CF94C900B5AB7B8FB05B24F10472AE81597380D7B595809AD0

Function 6E169D21 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6E16E8DC

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: H_prolog3_catch_malloc
String ID:
API String ID: 529455676-0
Opcode ID: 66d34c8301e588bbbbc9cf919736f87219375b60dfeff8bb25ff27e5756dbf37
Instruction ID: 252252303e9042433f117bf5296070e82bf752f6726a35f37d61596a42b5328f
Opcode Fuzzy Hash: 66d34c8301e588bbbbc9cf919736f87219375b60dfeff8bb25ff27e5756dbf37
Instruction Fuzzy Hash: 72D0A731514209DBCF41EBD9C405FAE7BB8BB45365FA04465E008BE280DF724FE0A75A

Function 6E16A510 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 6E16A510

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction ID: 29a0aeb98ff0dc9359f1b04f8cdc98510438526f24e8c123fe457f43f8d2cebd
Opcode Fuzzy Hash: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction Fuzzy Hash: 70C09B351443089F8B04CF50F841CDE3719AF54224720D515FC1C067509B3195B1F554

Function 03468C28 Relevance: 1.4, Strings: 1, Instructions: 101COMMON

Download Yara Rule

Strings

8aq, xrefs: 03468D19

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: 8aq
API String ID: 0-538729646
Opcode ID: 1dca47daca6ae6776090331127fcb1e668153f247e22254d71c778b74a761766
Instruction ID: 4d9a429c8e2d2aeb0d317bb4543c41dcb6ef9b08f8f4b35fe2a37126f441dc59
Opcode Fuzzy Hash: 1dca47daca6ae6776090331127fcb1e668153f247e22254d71c778b74a761766
Instruction Fuzzy Hash: 02410574E06209CFCB14DFA9D4886EEBBF5BF49300F14902AD415BB260DB345985CB5A

Function 0346B4E8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

Haq, xrefs: 0346B57C

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: Haq
API String ID: 0-725504367
Opcode ID: 714a10291c0bbbb79675c9e24abfbcbc7d4471826f265b3caef25011b709cf6d
Instruction ID: 48370d11b62c488dccf5de4fdee9b94a66d30e3d55ef6d39a9e7f997fcfa4182
Opcode Fuzzy Hash: 714a10291c0bbbb79675c9e24abfbcbc7d4471826f265b3caef25011b709cf6d
Instruction Fuzzy Hash: BA21E171A04214AFD7959F68CC55BAE7BBAFF95300F108096E505DB284DA309E06C792

Function 03460A20 Relevance: .1, Instructions: 79COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fa2aef025cfb8e7acd74b887c3d969902b1fdfb1feec99a694379a678e664ce3
Instruction ID: 198aff73c67e2c9aceb6ad929c69f21825dbc22174bb69abcacfad2315d43879
Opcode Fuzzy Hash: fa2aef025cfb8e7acd74b887c3d969902b1fdfb1feec99a694379a678e664ce3
Instruction Fuzzy Hash: AC314470D09209CFCB14CFA4D8446EEBBB6FF9A340F10946AC419BB244D7795A8ACF55

Function 03469970 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c3ddbaf8e233dd8e45577c3124366886c87a471bb46131ed714e40581efaa31c
Instruction ID: a47abb8e9da805951a4a25479de626951355ea693dbb3b324b8edcb48ae85f88
Opcode Fuzzy Hash: c3ddbaf8e233dd8e45577c3124366886c87a471bb46131ed714e40581efaa31c
Instruction Fuzzy Hash: 2B215E30E042189FDB14DFA9D8946EEBBBAFF88310F14852AD405A7388CF745D45CB66

Function 03460CE6 Relevance: .1, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 782c81f0953ae55c16378f3c0cc7cc23962af0ade73d2941a058d1e303b027bd
Instruction ID: 3060421279118e62e95a21c578880b183fa7ae1a3d96af3078a9aba1e3f10951
Opcode Fuzzy Hash: 782c81f0953ae55c16378f3c0cc7cc23962af0ade73d2941a058d1e303b027bd
Instruction Fuzzy Hash: 49319774E00219DFDB04DFE9D594A9EBBBAFF88300F108515E919A7365CB34AD06CB51

Function 0192D964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103489759.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8694f6bd645cc3a78d4ea9c68fad7bb099e65b226db0dfad6fec8aa4261f718
Instruction ID: 167f8454b2f60dee83c32fd62270e2a55f88653c7ef1a6ccd958da0edc66e733
Opcode Fuzzy Hash: e8694f6bd645cc3a78d4ea9c68fad7bb099e65b226db0dfad6fec8aa4261f718
Instruction Fuzzy Hash: BC21F575604244DFDB05DF58D980F26BFAAFB84314F248569E90D0B25AC33AD806CBA2

Function 06702516 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b0bbf5f13d228d0c33c888ba0f9feb8622b67c93451a06ed52e25d8020a12057
Instruction ID: 5aa3bbe9e46024f92c2a01f80c05be9281928f3e3f1ca09097b5ee3311eab5d6
Opcode Fuzzy Hash: b0bbf5f13d228d0c33c888ba0f9feb8622b67c93451a06ed52e25d8020a12057
Instruction Fuzzy Hash: D321D071A10205CFDB54DF68C56466EBBF2AF84310F11C915D422CB399DB30ED42CB91

Function 0192DA4C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103489759.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 741ec1799d983f143c754da220866df2393e935f8adf4ff74bbbd041eee8ce73
Instruction ID: 6e6e7c3ac77957ba6fd924c535e49667bc3aa1bc2f6c12d77b1e5f6370fa7443
Opcode Fuzzy Hash: 741ec1799d983f143c754da220866df2393e935f8adf4ff74bbbd041eee8ce73
Instruction Fuzzy Hash: 1221D4B1508344DFDB15DFA8D984F26BFA9FB88314F24C969E90D4B25AC33AD406C7A1

Function 0192D44C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103489759.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e84ddef4a39471108b203d3124a1600380bfe6504a60ca50a308f44f00311191
Instruction ID: 792c7aa4ac6ac52390dc8d84bc96b2e626d3ba1938fecbab9bb3cfe117e7afd1
Opcode Fuzzy Hash: e84ddef4a39471108b203d3124a1600380bfe6504a60ca50a308f44f00311191
Instruction Fuzzy Hash: AD212371604240EFDB11DF58D5C0F66BFA9FB84714F20C56DD80D0B29AC33AE446C6A2

Function 0346B010 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4bc0e2cefa8a3c63eeaba13ec6f31104587010e65bcd63380769ce798c0a138
Instruction ID: c49e098a4317417d7194de471c3e14aa8026ca376051d742a0a2f0e6b4c8fa83
Opcode Fuzzy Hash: f4bc0e2cefa8a3c63eeaba13ec6f31104587010e65bcd63380769ce798c0a138
Instruction Fuzzy Hash: F421FE74E08219DFCB05CFAAC840AEEBBB5FB49310F00802AE925AB350C7359945CFA5

Function 06700848 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2fcb4c85b3f7d326109d4f2276b9f222860419442bd3c52d0b59b719522ee600
Instruction ID: 1dbb97051cc151062031a4f96d61af55b6e8fe7426b35c92953f6af16aea0d6d
Opcode Fuzzy Hash: 2fcb4c85b3f7d326109d4f2276b9f222860419442bd3c52d0b59b719522ee600
Instruction Fuzzy Hash: 9F115E753092804FC706DB79D898D697FF5EF8A22034645EAE149CB3B2DA259C05CB61

Function 03460C78 Relevance: .1, Instructions: 63COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a1980c78bdce5d74a71d7c31d7b185f2f2ceb1984364f2d95063ae8ea7bbffbc
Instruction ID: 3e475a08a121aa666225fdac2f42e143b97a9dd91f8d08a011ca3d0aa3d48f7c
Opcode Fuzzy Hash: a1980c78bdce5d74a71d7c31d7b185f2f2ceb1984364f2d95063ae8ea7bbffbc
Instruction Fuzzy Hash: 6A21FE70E4921A8FCB19CFA8C940AEEBBB9BF49300F14862AD415BB355D7749902CF55

Function 03460C88 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1fb99547d27b2a8ccf7c1ae3480c10645f2a91136316950f4794aef46173fcd7
Instruction ID: fe1803ef86003626c486b082ed7722c73160ed53f4c05d47fe72060653c9a953
Opcode Fuzzy Hash: 1fb99547d27b2a8ccf7c1ae3480c10645f2a91136316950f4794aef46173fcd7
Instruction Fuzzy Hash: 2A11FE70E0921A8FCB18CFA9C9405EEFBF9BF49300F049626D415B7355DB749901CB65

Function 0192D95F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103489759.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
Instruction ID: c7cf3c1bddfb6311486468b22379524b5470e200f1b900c0049eeed965088a9d
Opcode Fuzzy Hash: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
Instruction Fuzzy Hash: 3711D076508280CFDB12CF54D5C4B16BFB2FB84314F24C6A9D9490B65BC33AD41ACBA2

Function 0192DA47 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103489759.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2dc214fb3b67dee6d63525546fcd79b48668cd63b1e3b0b14567c0ac11da0e
Instruction ID: 4c091affb07159310c8d64760e237c393947d2882730c0358fa790c56271b12f
Opcode Fuzzy Hash: 8f2dc214fb3b67dee6d63525546fcd79b48668cd63b1e3b0b14567c0ac11da0e
Instruction Fuzzy Hash: 52110476504380CFDB12CF54D5C4B16BFB1FB84314F24C6A9D9090B656C33AD41ACBA2

Function 0192D447 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103489759.000000000192D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0192D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_192d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4c623aaf12d799d01dfa0934b93cccf601b23327cf73bb2393620fe977b88f
Instruction ID: 4abef44c3f27bd534945dc8d53cfe0850f581d77273312111d70e66bad5058ea
Opcode Fuzzy Hash: 7b4c623aaf12d799d01dfa0934b93cccf601b23327cf73bb2393620fe977b88f
Instruction Fuzzy Hash: 9411C175504280DFDB12CF14D5C4B59BFA1FB84325F24C6AAD84D4B65AC33AE44ACBA2

Function 06700868 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 435a51928b78bb1f33ccd5140a9674f5b4c64dd02fa02102467ce21474732500
Instruction ID: b5b81e8f10663d7f83ab4b5a64165d9c97c411b2585d0e2c3d0e2690f729af7a
Opcode Fuzzy Hash: 435a51928b78bb1f33ccd5140a9674f5b4c64dd02fa02102467ce21474732500
Instruction Fuzzy Hash: FF0144753101109FC748EB6DD898C2EBBFAFFC962034144A9E10ACB3B1DE22EC018B90

Function 0190D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103412582.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 505ecaf5ae4dad741932d3e3d11084e01bc575049fee9f2c5f42d32a85e9439b
Instruction ID: 33b4a1e7f417083536ed83f25910e1c0478d111b31920a86a0adced3a1d4ff4b
Opcode Fuzzy Hash: 505ecaf5ae4dad741932d3e3d11084e01bc575049fee9f2c5f42d32a85e9439b
Instruction Fuzzy Hash: 1901F7710043049EF76A8AD9CD84B67BFECFF45321F18C92AED0C0A2C6C6799841CA71

Function 0190D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2103412582.000000000190D000.00000040.00000800.00020000.00000000.sdmp, Offset: 0190D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_190d000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 57c75fa9b60b36c8c02c5226929d992394cd341ad49664aea0aa7558feb60760
Instruction ID: 4258f962d708ee53a22ab1003a53a39327bd4e3ecc0ec544da33c7712e864fd9
Opcode Fuzzy Hash: 57c75fa9b60b36c8c02c5226929d992394cd341ad49664aea0aa7558feb60760
Instruction Fuzzy Hash: A8F06D71405344AEF7268A5ADC84B62FFECEF85635F18C45AEE4C4B2C7C2799844CAB1

Function 03460B10 Relevance: .0, Instructions: 27COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 77017cf372f053a33a969a4c79227c86b0cb441dcac19a5243c972961087b923
Instruction ID: 647ebb931068400cd2b772f0d61a7d4aaa3dffb8f996cf3a2edbde8b7521f243
Opcode Fuzzy Hash: 77017cf372f053a33a969a4c79227c86b0cb441dcac19a5243c972961087b923
Instruction Fuzzy Hash: ADF0E5B6C0D344CFCB11CFA0C8510E8BF75EDA6251B4541D7D055DF151E235960AC716

Function 03469F50 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 96e4f85b514d7b2a44a98615d1e400e8aab7421e2f25959ad38fee73140e31bb
Instruction ID: 89792285863ca36e1db519c4330cef0b2dfbcb6ec9fe6d25f785380baa2a52f4
Opcode Fuzzy Hash: 96e4f85b514d7b2a44a98615d1e400e8aab7421e2f25959ad38fee73140e31bb
Instruction Fuzzy Hash: 94E0C974D09208EFCB64DFA8D4049DDBBB9AB49310F0081A6EC1496350D7715A50DF81

Function 034609E8 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 58eff30a450b81466595a204984e086d26519f0170fd5e8f46954692f10fb857
Instruction ID: ea5c1a1c513976de56affbe057fa13b5a19bd5adc00d97c576bc21b79ae0473d
Opcode Fuzzy Hash: 58eff30a450b81466595a204984e086d26519f0170fd5e8f46954692f10fb857
Instruction Fuzzy Hash: CFD0C73008C3888FC3269FA098006E97BB49B0B322F080A5BD00A8B4A2C3281009CB12

Function 03468B00 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afedad40ed6dc60d4eb3d88937b4144645196e2c95a99840e4f485be25101d73
Instruction ID: 196a2d52b3fd0737c0cf32dbb261db52e41be3ed074f868bb5200af9f6ff3613
Opcode Fuzzy Hash: afedad40ed6dc60d4eb3d88937b4144645196e2c95a99840e4f485be25101d73
Instruction Fuzzy Hash: 03D0A7B094A208DFC720DFA8E5086ADB7FCE70A301F4044A9E818D7304D7715E00DF45

Function 03468BE8 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c12387a4f35e024491bc4aa61b1fd63d20f68f106a1cc7086a436f4fbda9890a
Instruction ID: 493fc6fec9b535f57f79dfce294a0bfe86a26f7d5ad01a6b7b48b76043ce1d9d
Opcode Fuzzy Hash: c12387a4f35e024491bc4aa61b1fd63d20f68f106a1cc7086a436f4fbda9890a
Instruction Fuzzy Hash: 6AD05EB085A208DFC760DFA898086A9B7F8E70A301F404495E818C3301D7714A00DB45

Function 03460838 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89449a2171c8e4ca8d104a79bd5c076226de6085bfc6e67340a1dc2e0ab68cc0
Instruction ID: d62095780c30799e49e8b482f3eaec41474cc4d280a572c801700eaa60d16ec3
Opcode Fuzzy Hash: 89449a2171c8e4ca8d104a79bd5c076226de6085bfc6e67340a1dc2e0ab68cc0
Instruction Fuzzy Hash: EFD05E3008D3488FC7A6DB98A8156AC7BB49B47321F09596BD4488B463C3698882DB83

Function 0346BC30 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 205e81a023d84565f2d18ac79319505c3a9cb4d3f9a738e38869776f95ed6418
Instruction ID: 76ae44e2c5ef2a189aab76d16135cf645e02a6d2ec8a08cadbde0678e4b1ac2f
Opcode Fuzzy Hash: 205e81a023d84565f2d18ac79319505c3a9cb4d3f9a738e38869776f95ed6418
Instruction Fuzzy Hash: 87D0C93120820C9BDF209EB2D90871ABB99EB01655F08C42AE409C6250DF31D960C655

Function 034609F8 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d232c4fa2bea2b2ccce71f694bf4009b452514d4c48fa8f4dfe08e8d6439180
Instruction ID: 1c38ca263704112c03b233c1629e25a2ebdb53aaf0d3b26451160b71e476ad86
Opcode Fuzzy Hash: 2d232c4fa2bea2b2ccce71f694bf4009b452514d4c48fa8f4dfe08e8d6439180
Instruction Fuzzy Hash: DDC08C3000D20C8ED231AFE568087B8B2AC971A30AF840406D41E094118B614018CA6B

Function 03469850 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b11299ff5235b051f3a0b2d91fc20abb77fc8ee9fc4231e4fb013e4f269eea0e
Instruction ID: 42fec2be2d3721a21183638f38dd44339f0d8b33765ff8107308b61b9db1ae55
Opcode Fuzzy Hash: b11299ff5235b051f3a0b2d91fc20abb77fc8ee9fc4231e4fb013e4f269eea0e
Instruction Fuzzy Hash: 5DD0C97041D2C489D732DEE6B1083657EA86312319F482086F88409A8BC7F65098C766

Function 03460848 Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55a1893786c5f3885f7ede4da91e8603ead41cfa8434c7b3dc603b1a3617e3a0
Instruction ID: 129d8826d276228ccfe33b25d9339fe58d5ea19e17460d857bf42b971c268d49
Opcode Fuzzy Hash: 55a1893786c5f3885f7ede4da91e8603ead41cfa8434c7b3dc603b1a3617e3a0
Instruction Fuzzy Hash: 28C02B3000E2048EC972DE84700877072AC9307313F882805D40C01417C760D850DBDB

Non-executed Functions

Function 6E122D70 Relevance: 35.2, APIs: 23, Instructions: 669COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E122DFF
VariantInit.OLEAUT32(?), ref: 6E122E08
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E122E7E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E122EB5
VariantClear.OLEAUT32(?), ref: 6E122EC1

Part of subcall function 6E12C850: VariantInit.OLEAUT32(?), ref: 6E12C88F
Part of subcall function 6E12C850: VariantInit.OLEAUT32(?), ref: 6E12C895
Part of subcall function 6E12C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12C8A0
Part of subcall function 6E12C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E12C8D5
Part of subcall function 6E12C850: VariantClear.OLEAUT32(?), ref: 6E12C8E1

VariantClear.OLEAUT32(?), ref: 6E1230D5
SafeArrayDestroy.OLEAUT32(?), ref: 6E123550
VariantClear.OLEAUT32(?), ref: 6E123563
VariantClear.OLEAUT32(?), ref: 6E123569

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 96babaf25461a61e8abf71556b2707609e7b58a84b8a144ce7ac102361e7d05d
Instruction ID: edf0b123ba49cee944d16dd42cda90732a50531410f2bcdc1c3ea6f2fa749c28
Opcode Fuzzy Hash: 96babaf25461a61e8abf71556b2707609e7b58a84b8a144ce7ac102361e7d05d
Instruction Fuzzy Hash: 6B526E71900219DFCB54DFA8C884BDEBBB9FF59700F1485A9E509AB350DB30A986DF90

Function 6E11A0C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

CorBindToRuntimeEx.MSCOREE(v2.0.50727,wks,00000000,6E190634,6E190738,?), ref: 6E11A119
GetModuleHandleW.KERNEL32(mscorwks), ref: 6E11A145
__cftoe.LIBCMT ref: 6E11A1FB
GetModuleHandleW.KERNEL32(?), ref: 6E11A215
GetProcAddress.KERNEL32(00000000,00000018), ref: 6E11A265

Strings

v2.0.50727, xrefs: 6E11A110
wks, xrefs: 6E11A10B
mscorwks, xrefs: 6E11A140

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: HandleModule$AddressBindProcRuntime__cftoe
String ID: mscorwks$v2.0.50727$wks
API String ID: 1312202379-2066655427
Opcode ID: fa97b7801547c88093f2a961a457c831e5456f44cd37570de41d05a69ccd8f3a
Instruction ID: 4cc8b817624535ba6d031469d4fe67a3299803632e5475442710997438662642
Opcode Fuzzy Hash: fa97b7801547c88093f2a961a457c831e5456f44cd37570de41d05a69ccd8f3a
Instruction Fuzzy Hash: E6919E71E082499FDB04CFE8C984ADEBBB5BF49310F20866DE119EB340D734A989DB55

Function 6E15DBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,4F740BFF,6E188180,00000000,?), ref: 6E15DBFB
GetLastError.KERNEL32 ref: 6E15DC01
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6E15DC15
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6E15DC26
SetLastError.KERNEL32(00000000), ref: 6E15DC2D

Part of subcall function 6E15D9D0: GetLastError.KERNEL32(00000010,4F740BFF,7508FC30,?,00000000), ref: 6E15DA1A

__CxxThrowException@8.LIBCMT ref: 6E15DC78

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

Crypto++ RNG, xrefs: 6E15DC0D, 6E15DC20
CryptAcquireContext, xrefs: 6E15DC35

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: AcquireContextCryptErrorLast$ExceptionException@8RaiseThrow
String ID: CryptAcquireContext$Crypto++ RNG
API String ID: 3279666080-1159690233
Opcode ID: 1a7cbc173b6a36ba1c4bd59d3d60433ab758c70cfc68e52608baf027997ced6a
Instruction ID: c8561427d5c4be2253f8e54bcdd374bfac8abd5892d3144484f45dc3c4fb2c48
Opcode Fuzzy Hash: 1a7cbc173b6a36ba1c4bd59d3d60433ab758c70cfc68e52608baf027997ced6a
Instruction Fuzzy Hash: B521D4B1258340AFE310DBA8CC45F9B7BECAB59754F50091DF1419A3C0EBB5A4849B61

Function 6E16948B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6E16CE6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6E16CE81
UnhandledExceptionFilter.KERNEL32(6E189428), ref: 6E16CE8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6E16CEA8
TerminateProcess.KERNEL32(00000000), ref: 6E16CEAF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: a8c0973737ea0a27aecbd75d243ceac7f9bd9a2e3a3a7f061b6b84ddb0c84cd2
Instruction ID: 2a8ea64c9e30a49a2409458ad5548f2e4a84052b0fa0c07c44511fb510af6506
Opcode Fuzzy Hash: a8c0973737ea0a27aecbd75d243ceac7f9bd9a2e3a3a7f061b6b84ddb0c84cd2
Instruction Fuzzy Hash: 0321F0B4904A88DFCF50CF9CD048AAE3BB4FB0A314F10C41AE40987B48EBB04985AF15

Function 6E162310 Relevance: 6.7, APIs: 4, Instructions: 663COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E1624A1

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

std::exception::exception.LIBCMT ref: 6E16248C

Part of subcall function 6E169533: std::exception::_Copy_str.LIBCMT ref: 6E16954E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: c787262926eeb0a988f05bc1dc9fd81567431c6eb717ed59424e0ddd4deb9c53
Instruction ID: 3afb90bd07bc6afdcd0deda9c2bea61f1e18127c5c93681fa63dba1b8725cda1
Opcode Fuzzy Hash: c787262926eeb0a988f05bc1dc9fd81567431c6eb717ed59424e0ddd4deb9c53
Instruction Fuzzy Hash: 5D328071A006068FDB54CFE8C890AAEB7B9FF99744B24451DE816DB354EB30ED90DB90

Function 6E155DD0 Relevance: 6.4, APIs: 4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 956f657a78e45ba31db5c188136a234022500ab96138bd29383dbf76a14f3f0a
Instruction ID: d6741a0172fd554c92dc5564f29423b04a688ca9d5e69789e007465b468432ca
Opcode Fuzzy Hash: 956f657a78e45ba31db5c188136a234022500ab96138bd29383dbf76a14f3f0a
Instruction Fuzzy Hash: 4802CE704187988FC764CF6DC8A093EBBF1EBDA311F41490EE2F657295C234A568EB61

Function 6E155EB9 Relevance: 6.3, APIs: 4, Instructions: 318COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E1562FC
_memmove.LIBCMT ref: 6E15632B
_memmove.LIBCMT ref: 6E15635A
_memmove.LIBCMT ref: 6E156389

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 8eefdb323890d976819852e05fc220db0f5ec88cc472a71eec33ddc20f266bf3
Instruction ID: 16dd42a6359cec17d456efbc6087a55805bb9e761aa5c9c521cccbeb6d4c1c04
Opcode Fuzzy Hash: 8eefdb323890d976819852e05fc220db0f5ec88cc472a71eec33ddc20f266bf3
Instruction Fuzzy Hash: DCE1C2704187988FC764CF6DC8A093E7BF1EBD6211F41450EE2F5472A9D234A16CEB21

Function 06700930 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

LOOK, xrefs: 067009B1
HERE, xrefs: 067009B6
Guq, xrefs: 06700D19
Guq, xrefs: 06700BBB

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID: HERE$LOOK$Guq$Guq
API String ID: 0-1031546151
Opcode ID: 01f8488a27b2fbe7077ef6ffcfd5044e8addd815ed89afc6266cc93b99e52fac
Instruction ID: d146daedab2c6e7f6e586c56f65b24c5fa4a08f7a4678bb051cafab690ffaa19
Opcode Fuzzy Hash: 01f8488a27b2fbe7077ef6ffcfd5044e8addd815ed89afc6266cc93b99e52fac
Instruction Fuzzy Hash: EFF18174E412298FEBA4DF69C984BD9B7F5BB48310F1086E6D50DA7251DB309E818FA0

Function 6E15DE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,?,?,4F740BFF,00000000), ref: 6E15DE6F
__CxxThrowException@8.LIBCMT ref: 6E15DEB9

Part of subcall function 6E15DD20: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6E17F0E6,000000FF,6E15DF67,00000000,?), ref: 6E15DDB4

Strings

CryptGenRandom, xrefs: 6E15DE7B

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Crypt$ContextException@8RandomReleaseThrow
String ID: CryptGenRandom
API String ID: 1047471967-3616286655
Opcode ID: 28da6156c7a2a655b7662e086b22ecee4a152a96f48a090daea5448a8cf2ab76
Instruction ID: 0b7459b685a35374cc019191f44cc037abf157d3f06e8823f5c33e43ec7172e6
Opcode Fuzzy Hash: 28da6156c7a2a655b7662e086b22ecee4a152a96f48a090daea5448a8cf2ab76
Instruction Fuzzy Hash: C2213BB51187849FD704DF68C444BABBBE9FB89714F008A0DF46587384DB74A588DF52

Function 6E1563B0 Relevance: 5.1, APIs: 3, Instructions: 648COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E156437

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 87f8fb26f76a2a3fffc2412126b9f386b173cf6b667232845e0882952d379d47
Instruction ID: 73b0b1dad3f11d07cd6a5708202f4dd56eabff5f8fe8fbdec0cdd1b13b46f5a6
Opcode Fuzzy Hash: 87f8fb26f76a2a3fffc2412126b9f386b173cf6b667232845e0882952d379d47
Instruction Fuzzy Hash: 5252F0B05146658BC754CF2DC0E053ABBF2EFCA311BA4C55DD4E68B38AD234B591EBA0

Function 6E15D9D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,4F740BFF,7508FC30,?,00000000), ref: 6E15DA1A

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

Strings

operation failed with error , xrefs: 6E15DA49
OS_Rng: , xrefs: 6E15DA35

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ErrorLastXinvalid_argumentstd::_
String ID: operation failed with error $OS_Rng:
API String ID: 406877150-700108173
Opcode ID: a7d2a9fb7bfedfbb749e3e2b97037031b41d90f7633d4237efbe1980a969e5a6
Instruction ID: 4a155d3b2fe95edc15cf01f5a8beeabf4b676ab539e944791aeb73b15b5310f5
Opcode Fuzzy Hash: a7d2a9fb7bfedfbb749e3e2b97037031b41d90f7633d4237efbe1980a969e5a6
Instruction Fuzzy Hash: 84417AB19083809FD320CFA9C841B9BBBE9BF99654F104D2DE19987340EB759488DF63

Function 6E161CA0 Relevance: 3.6, APIs: 2, Instructions: 619COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E161E1D

Part of subcall function 6E169533: std::exception::_Copy_str.LIBCMT ref: 6E16954E

__CxxThrowException@8.LIBCMT ref: 6E161E32

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 2c7cb01da3f7e8958b6c3cad5be336bc4592ef2f4a5b0e91c93f0d408a26b393
Instruction ID: 7b9158670ec7ad9bf3f101e65c638e60c166ac19255eab778c2010efd7c2b8cc
Opcode Fuzzy Hash: 2c7cb01da3f7e8958b6c3cad5be336bc4592ef2f4a5b0e91c93f0d408a26b393
Instruction Fuzzy Hash: 0832B471B002069FDB48CFD9C8909AEB3BABF99744B24851DE516DB350EB30ED94DB90

Function 6E170B89 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a4b59e691a78c0b33a757956e3a2ae5fc454f3c514eb3d62a9310150ec5b287
Instruction ID: 1224c99bade27e7ebeba343fa3b0aaff02fbb137818b9fdf07ffe20d87c08426
Opcode Fuzzy Hash: 0a4b59e691a78c0b33a757956e3a2ae5fc454f3c514eb3d62a9310150ec5b287
Instruction Fuzzy Hash: D3322422E29F414DDB639534C832326A25DAFB77D4F11D727F829B5E9AEB29C4C36100

Function 6E15DEE0 Relevance: 1.6, APIs: 1, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6E104760: __CxxThrowException@8.LIBCMT ref: 6E1047F9

CryptReleaseContext.ADVAPI32(?,00000000,00000000,?), ref: 6E15DF7B

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ContextCryptException@8ReleaseThrow
String ID:
API String ID: 3140249258-0
Opcode ID: 56eded19f4a49a7866cb49aa73b71446769da8f534d9e617ca32a20f9d1dda24
Instruction ID: 0e900488d3883d3771a83b8b6b04ab8eefa558108ff1db12a0a6d0536cdc0014
Opcode Fuzzy Hash: 56eded19f4a49a7866cb49aa73b71446769da8f534d9e617ca32a20f9d1dda24
Instruction Fuzzy Hash: 8D21BEF5508344AFC200DF54D840B8BBBE8EB9AB68F100A1DF85583381DB71E949CBA2

Function 6E15DD20 Relevance: 1.6, APIs: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6E17F0E6,000000FF,6E15DF67,00000000,?), ref: 6E15DDB4

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: fcc43bfdda915e5cf961aedd0e8136e2bd5cde6339ab4f0542f9389c6da28d01
Instruction ID: b9b042450e27f53bed0b859dcdc6d0b1a06b19ec0c9dfb8c66658428a5bf4ceb
Opcode Fuzzy Hash: fcc43bfdda915e5cf961aedd0e8136e2bd5cde6339ab4f0542f9389c6da28d01
Instruction Fuzzy Hash: 5F11DAF16047915BE710CF9CC880B6B77E8F706650F14492DED25C7384EB799494AB91

Function 6E15D7F0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E15D803

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: ce50d8d958489936f1667875fadee820d65547324e95c5fd660f708a2db7c655
Instruction ID: 5297493367f2bae7f6a4e201f3750e3406734b3144ba953d387432b5c9d5599d
Opcode Fuzzy Hash: ce50d8d958489936f1667875fadee820d65547324e95c5fd660f708a2db7c655
Instruction Fuzzy Hash: 86D02EB070021153D2209BA48C00B8777CC4F11B00F248828F96AD2280CAB0C8D09BD8

Function 6E1835E0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E1835F5

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 9ff9e502f1352d18503590ed1c0dcee18a97528844390a551aef1ecd3e97c847
Instruction ID: 4d057326428ede1bce0dffbb7da6ffed90456d4aff400da55f3b54c42858a45a
Opcode Fuzzy Hash: 9ff9e502f1352d18503590ed1c0dcee18a97528844390a551aef1ecd3e97c847
Instruction Fuzzy Hash: 9DD05EB150155257EE50CAAC9829F9B33DC5B12640F2C0014E505DB180DF64D981AB64

Function 6E15D7D5 Relevance: 1.5, APIs: 1, Instructions: 8encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6E15D7E0

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 83aa2506cc65c9a0187af83800dcadce459849d98edfcfdab2950d37c8b5bb44
Instruction ID: b12d52dc0ca704f904ff2c694b40ff9a42daa6c9f64978c86a43867e902a1f3f
Opcode Fuzzy Hash: 83aa2506cc65c9a0187af83800dcadce459849d98edfcfdab2950d37c8b5bb44
Instruction Fuzzy Hash: 4CB012B07012016BEE3C8F218B68B2F3A19AF4274AF20844C661A592808E63D402DA08

Function 6E155830 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

@, xrefs: 6E155A30

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 09d429e98357fd4b106b9c3e744c4a9d03de43b513d7329856e6d7e5f9c8e4d7
Instruction ID: f030e191fc4cb642e48b8593d367386a2527d40a44b7b8e8d5a37dd6400d7836
Opcode Fuzzy Hash: 09d429e98357fd4b106b9c3e744c4a9d03de43b513d7329856e6d7e5f9c8e4d7
Instruction Fuzzy Hash: CF917D71818B868BE701CF6DC8425AAB7E0FFD9354F249B1DFDE462200EB749994C781

Function 6E17BFF1 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 6E17C001

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 84478231f55b755ca9dca03bf12f6a1a40f589d4a5a1bc71e530dcb60e1132d0
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 25612971A003168FDB28CF88C49469EBBF2BF88710F26C5AED9195F255C7B19994DB80

Function 03460E48 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

4']q, xrefs: 03460F46

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: dff3f0cdef92e735c9162e767aee525223997dcb190016cdd138582c6dcc5c3b
Instruction ID: eb57ace2938577117e13d4240687a81c5a9c36da6bd73aaa1caf4fb48a4f5bd3
Opcode Fuzzy Hash: dff3f0cdef92e735c9162e767aee525223997dcb190016cdd138582c6dcc5c3b
Instruction Fuzzy Hash: 8F71F870E042098FDB19DFBAE95079EBBF6FBC9300F14C529D4089B269DB78590ADB40

Function 03460E58 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4']q, xrefs: 03460F46

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c43cbeba8674f00e6c22a442fcdd1c6d7a5047153b92ec799bbfb18e6ee32cee
Instruction ID: 8532b9c67f52716ffc2d136815a37c7afda11f0fb85e658ef369b65744957a29
Opcode Fuzzy Hash: c43cbeba8674f00e6c22a442fcdd1c6d7a5047153b92ec799bbfb18e6ee32cee
Instruction Fuzzy Hash: 6761E870E042098FDB19DFAAE95079ABBF6FFC9300F14C529D4089B269EB785909DB40

Function 6E1558D7 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

@, xrefs: 6E155A30

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: b047373693e9cb2c16f0beaf54575c8f75f4f2de382469ac2ec07516f4230be5
Instruction ID: bbdd9f8c49093d04d9756e2ff48c3babb3ee8f78ceb0c2584ad6126dfa39c5f1
Opcode Fuzzy Hash: b047373693e9cb2c16f0beaf54575c8f75f4f2de382469ac2ec07516f4230be5
Instruction Fuzzy Hash: 2A519171818B828BE311CF6DC8815AAF7A0BFE9344F209B1DFDE462601EB759594D781

Function 6E1558D5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

@, xrefs: 6E155A30

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 25dcc11d870f218c9611599aedeccf34c52bb894c8f490fe5e22bb40a015e76f
Instruction ID: a4657b724717520ad47c4fe7649b3a5509a4a5142d5d450ef594a2180b321e2e
Opcode Fuzzy Hash: 25dcc11d870f218c9611599aedeccf34c52bb894c8f490fe5e22bb40a015e76f
Instruction Fuzzy Hash: D8518171818B868BE301CF6DC8815AAF7A0BFE9344F20DB1DFDE462601EB759594D781

Function 03461648 Relevance: 1.4, Strings: 1, Instructions: 112COMMON

Download Yara Rule

Strings

&, xrefs: 03466DD3

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID: &
API String ID: 0-1010288
Opcode ID: 1f2976aaa882a6a6abf23a42752b55ce5613660628131567f9d011e75133eeb0
Instruction ID: 1d63f637de5479265b9a9beb507ac6f7937f96182068cd9256ee7be2361ebe6c
Opcode Fuzzy Hash: 1f2976aaa882a6a6abf23a42752b55ce5613660628131567f9d011e75133eeb0
Instruction Fuzzy Hash: C0514DB1D016188BEB68CF6BCD4479AFAF7AFC8201F14C1FA840CAA254DB354A958F45

Function 05B838F8 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

8bq, xrefs: 05B83957

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 234cc791dc61a4f300d07244ae9217657365420498ce3e9951ee17dfa6338d16
Instruction ID: 11a001ddb8732dea325297c506fe4edc6b9b823ffbe55cebe4a1fcdc07f03162
Opcode Fuzzy Hash: 234cc791dc61a4f300d07244ae9217657365420498ce3e9951ee17dfa6338d16
Instruction Fuzzy Hash: DE31A675D412089FDB04CFA9D880AEEBBB5FF49310F10946AE515B7360DB74AA04CF95

Function 05B83B18 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

lbq, xrefs: 05B83B77

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID: lbq
API String ID: 0-2620278156
Opcode ID: 0cd03cccccfbb0828f981d9200dd98454142720e7bbe8c1fd6726c036f37a8f0
Instruction ID: 527c1579185463517eeb0018788091a39c7aef36dac03180f5d41760e68577c3
Opcode Fuzzy Hash: 0cd03cccccfbb0828f981d9200dd98454142720e7bbe8c1fd6726c036f37a8f0
Instruction Fuzzy Hash: A231C775D41208AFDB04DFA8D880AEEBBB5FF49310F10946AE511B7360DB74AA04CFA5

Function 05B83B10 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

lbq, xrefs: 05B83B77

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID: lbq
API String ID: 0-2620278156
Opcode ID: 3be51ab9d5604a800ee5f5645329723fd3224d19374e09fd24c585de08e69bd4
Instruction ID: 8fe269296e60f229140871df8b4bc8b4a2bb1703b8787d50e7ea4ba17e9b1ba4
Opcode Fuzzy Hash: 3be51ab9d5604a800ee5f5645329723fd3224d19374e09fd24c585de08e69bd4
Instruction Fuzzy Hash: 1331D4B5D412089FDB04CFA8D980AEEBBB5EF49300F10946AE511B7360DB74AA04CFA5

Function 05B838F1 Relevance: 1.3, Strings: 1, Instructions: 86COMMON

Download Yara Rule

Strings

8bq, xrefs: 05B83957

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID: 8bq
API String ID: 0-187764589
Opcode ID: 7aca49686d795ae9f51e20b45e6efe2ef4d484ee8e9e1a0e24009825a121b165
Instruction ID: a11426998eba96f76cc65d73661bb5212845d8e200f8fa5d1ec0fc6bc369ae3f
Opcode Fuzzy Hash: 7aca49686d795ae9f51e20b45e6efe2ef4d484ee8e9e1a0e24009825a121b165
Instruction Fuzzy Hash: 7831C475D412089FDB04CFA8D980AEEBBB6FF49300F10946AE911B7360DB74AA04CF95

Function 6E143460 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction ID: aa74d366f6ce4f68929a12cab1b95c4886cb057314d35bff452369b36ed46ff4
Opcode Fuzzy Hash: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction Fuzzy Hash: 755299716483058FC758CF5EC98054AF7F2BBC8718F18CA7DA599C6B21E374E9468B82

Function 05B8BA9A Relevance: .5, Instructions: 537COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 984bd7e612ac0186234b2a23b3286d9c3b6923b3a8efa2217aff094da39579ec
Instruction ID: 33e9686994f45082671200f3f597723b5cbd99ca3981ef518f1e00b8ea2f2807
Opcode Fuzzy Hash: 984bd7e612ac0186234b2a23b3286d9c3b6923b3a8efa2217aff094da39579ec
Instruction Fuzzy Hash: 2C411975C152688FDB01EFA8D990BDDBFB0FF0A310F14905AD448A7261D7389949CF65

Function 6E143E50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction ID: f58f59fd753db1d5a06673b96f9205d3f47784dbc8776f863be213912ecc1d89
Opcode Fuzzy Hash: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction Fuzzy Hash: AA223E71A083058FC344CF69C88064AF7E2FFC8318F59892DE598D7715E775EA4A8B92

Function 6E144AC0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction ID: 9ded071ad59cd704732e825f270e8da77efaef640fe718d0d309e11cafb84771
Opcode Fuzzy Hash: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction Fuzzy Hash: A80296717443018FC758CF6ECC8154AB7E2ABC8314F19CA7DA499C7B21E778E94A8B52

Function 6E155050 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 881196949fef0fb7f392440c2fb8903dea1bfa82a08d655cf26c4666a8209639
Instruction ID: 3373aa6829ed376d71dd8feb32c70f7e316c051602c1be3356b2c4613a5723de
Opcode Fuzzy Hash: 881196949fef0fb7f392440c2fb8903dea1bfa82a08d655cf26c4666a8209639
Instruction Fuzzy Hash: F9029F3280A2B49FDB92EF5ED8405AB73F4FF90355F43892ADC8163241D335EA499794

Function 6E144550 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction ID: 5f0367c05d9e803403292a80ae2ee566663ed1d763c363ca41ed2b3cb0e999bd
Opcode Fuzzy Hash: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction Fuzzy Hash: 2ED1A4716443018FC348CF1EC98164AF7E2BFD8718F19CA6DA599C7B21D379E9468B42

Function 6E155274 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction ID: 11a1f37e77bd3a10e9079b714d218fd6a0c7e86ff7a5ab61f62f7fd414b00901
Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction Fuzzy Hash: A3A144324192B49FDB92EF6ED8400AB73E5EF94355F43492FDCC167281C235EA089795

Function 6E143260 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction ID: 77c67e4e61c8f026e6fc0232a3d214a61c66183bd9c4334c8bf01a2cff0a98da
Opcode Fuzzy Hash: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction Fuzzy Hash: 8171A371A083058FC344CF1AC94164AF7E2FFC8718F19C96DA898C7B21E775E9468B82

Function 6E143C90 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction ID: c816e45da3559c3907b7fb3d5880d540d82664f1bd06f7db55950fe47940c881
Opcode Fuzzy Hash: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction Fuzzy Hash: 1F51F776A083058FC344CF69C88064AF7E2FBC8318F59C93DE999C7715E675E94A8B81

Function 6E144970 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction ID: 69990af1b33206951b8dcabbca6b0527f4b1e7b774d6cca876f21f347aff3c55
Opcode Fuzzy Hash: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction Fuzzy Hash: 9441D972B042168FCB48CE2ECC4165AF7E6FBC8210B4DC639A859C7B15E734E9498B91

Function 05B8291C Relevance: .1, Instructions: 122COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eaa7ebe4308b3eb0f49111da13131894c6bda5a29e7c468c376d0e92ad7e63e0
Instruction ID: 48ce99829b7a187674f63f859877b65ca746d7563ef6263a1c632878a71739a7
Opcode Fuzzy Hash: eaa7ebe4308b3eb0f49111da13131894c6bda5a29e7c468c376d0e92ad7e63e0
Instruction Fuzzy Hash: 4A51E3B4D042489FDB24DFA9D5857ADFBF1FF09300F20A069D419AB251D774A885CF45

Function 05B82928 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ad7eaf58fe2e540b056f85ce4ffafd4282aebe89e7a6ca38e38ea4fa6da1edf3
Instruction ID: 79bf7f3c4ccddc2596f768b04127fb1712b4c6988ff407919ac7080f975f5c64
Opcode Fuzzy Hash: ad7eaf58fe2e540b056f85ce4ffafd4282aebe89e7a6ca38e38ea4fa6da1edf3
Instruction Fuzzy Hash: F241E2B4D002489FDB24DFA9D885BADFBF1FF09300F20A069E819AB251D774A885CF45

Function 6E154EE0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1f16fac0e08844244c307e63505c6d9d90a427d77b22931de198b8afb797581
Instruction ID: 368b977be63f6a43537b59f876dba326a776e7d4574b711782a98b8c4ea8b699
Opcode Fuzzy Hash: b1f16fac0e08844244c307e63505c6d9d90a427d77b22931de198b8afb797581
Instruction Fuzzy Hash: FB41AF7120C30D0FD35CFDE896DB397B6D4E389280F41943F9A118B1A2FEA4955996C4

Function 03461638 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2104811256.0000000003460000.00000040.00000800.00020000.00000000.sdmp, Offset: 03460000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_3460000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b18595fdcfbf55f4e99adc97c01483d520893a3be37f775d2cdc122982735bf
Instruction ID: f7098daea2e8cf40eac0733652a6554187884c1b3771b713230d66230980dfb0
Opcode Fuzzy Hash: 7b18595fdcfbf55f4e99adc97c01483d520893a3be37f775d2cdc122982735bf
Instruction Fuzzy Hash: 5B4110B1E016588BEB5CCF6B8D4078AFAF7BFC8210F14C1BA851CAB264DB7109958F45

Function 05B8C338 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eebff512d34c9d65d1ef18b2539f5f4bdf118ad9d56aefcd69bbad0e5860e188
Instruction ID: de9a6e6f1a1f4a634e85f6ac2bd65a7333cc3bad311e14894d6f7cef12f3252a
Opcode Fuzzy Hash: eebff512d34c9d65d1ef18b2539f5f4bdf118ad9d56aefcd69bbad0e5860e188
Instruction Fuzzy Hash: 5731CBB9D052589FCB10DFA9D580AEDFBF4AB09310F14906AE414B7210D338A989CF64

Function 05B8C340 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab858adfdc6ac754d83c0adac154295d52a7e93161f4c3a00eb14059c25d6c9
Instruction ID: 93ceda96828f21feef3b971b8ccc2a87d66cce0bff8096295c3a99743b440a0a
Opcode Fuzzy Hash: aab858adfdc6ac754d83c0adac154295d52a7e93161f4c3a00eb14059c25d6c9
Instruction Fuzzy Hash: CC31AAB5D052589FCB10DFAAD484AEEFBF4AB49310F14906AE418B7210D738A985CF64

Function 05B83C28 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ca6c81c41dd0c1d9e723f1384a5fa336adf8b0030137f6ad88010526cee788dc
Instruction ID: 4761bee85eefd9fc89f95c5631bf96223fec983d2e6903bfb64d57ab7fab6069
Opcode Fuzzy Hash: ca6c81c41dd0c1d9e723f1384a5fa336adf8b0030137f6ad88010526cee788dc
Instruction Fuzzy Hash: 5E31A675D412089FDB04CFA9D880AEEBBB6FF49310F10946AE515B7360DB74AA04CFA5

Function 05B83A08 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a287d5e04b7ee1cba49a9a6a17cbb0dbe66664291dcd8914fa359b85473965aa
Instruction ID: b46a28b8781df43d821bdeecc782741fa83c4c09b9aaedafb9adf03186b95c9d
Opcode Fuzzy Hash: a287d5e04b7ee1cba49a9a6a17cbb0dbe66664291dcd8914fa359b85473965aa
Instruction Fuzzy Hash: FE31A875D412089FDB04CFA9D880AEEBBB5FF49310F109465E515B7360DB74AA04CF95

Function 05B83A00 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66055e518557babc5bb037bd5f5bb69e3d4816221d3f2493e1088043e1761a6f
Instruction ID: 1cc7451cbc7a48f5e860ea5d60153e0fe487cafdc65cafbcc2d59785828c7d15
Opcode Fuzzy Hash: 66055e518557babc5bb037bd5f5bb69e3d4816221d3f2493e1088043e1761a6f
Instruction Fuzzy Hash: 3731B475D412089FDB04CFA8D580AEEBBB6FF49300F10946AE515B7360DB74AA44CFA5

Function 05B83C22 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef03f46121303b3603285ad0ed06008f1f2faf780d824e070cc921839bb90c91
Instruction ID: 6613363f2292b052b73447d3e551bbb83770a830e3223cc23a68adc13ee33e76
Opcode Fuzzy Hash: ef03f46121303b3603285ad0ed06008f1f2faf780d824e070cc921839bb90c91
Instruction Fuzzy Hash: 2431C7B5D412089FDB04CFA8D980AEEBBB6FF49300F10946AE515B7360DB749A04CF95

Function 6E106650 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction ID: b07b0338a9e3e38618fe2a597921a7694a5e0bb23f3f77b546dfa2b7a02a066a
Opcode Fuzzy Hash: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction Fuzzy Hash: E02127327151564BE304CE2EC8908A2B7A7EF9D31472981F9E818CB283CA70E956C7D0

Function 6E108B30 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction ID: 0e3bc54b6f403fe985da9ab1dfd7040f63a7132ae0118c87cfd463aa26ce9d94
Opcode Fuzzy Hash: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction Fuzzy Hash: C6218E757046874BE715CF2EC84059BBBA3FFD9300B1980A6E858DB242C674E866CBC0

Function 6E10C7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction ID: b856beb31300d1defc40181482bb72e43845aeeef4f9c327a1d3817e26e5d7bb
Opcode Fuzzy Hash: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction Fuzzy Hash: D2110B36709A430BF305CF2EE840483B793AFDD31476A85AEA454DF146CB71E456C791

Function 6E10A7E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction ID: 7c32803b8a14c8e8b6bfc3bbace2d87f8874d53bee3d3ffdd275cc81a4f90ddc
Opcode Fuzzy Hash: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction Fuzzy Hash: 6E110632A156924BD3018E2DC8406C6BB67AFDE710B1A81EBE854DF217CB74985BC7D0

Function 05B8BE78 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2115048253.0000000005B80000.00000040.00000800.00020000.00000000.sdmp, Offset: 05B80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5b80000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2bde13cacb3c282e92d83541c9abe76532abda586aa7976f94663f815a9dd0d9
Instruction ID: efd7fd4265b4958e2c1cf7ac6b9e690d6753de680438f9f7e2d272eecf3866b1
Opcode Fuzzy Hash: 2bde13cacb3c282e92d83541c9abe76532abda586aa7976f94663f815a9dd0d9
Instruction Fuzzy Hash: 4E21A8B5D052089FCB10DFA9D584AEEBBF4FB49310F24A06AE818B3210C735A945CFA5

Function 6E1684B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f8339dd5ea243b7f1d348fb5f89fdeb03b4fe66e44cbfdd072a084bd825033c5
Instruction ID: f08b2313b0e74264599a2ef39adf46e8e1697c9fb7729bb70655dcea2916e45a
Opcode Fuzzy Hash: f8339dd5ea243b7f1d348fb5f89fdeb03b4fe66e44cbfdd072a084bd825033c5
Instruction Fuzzy Hash: D2115EB6A08609EFC704CF59D841B9AFBF4FB45724F20822EE81997B80D735A950DB90

Function 6E176FB1 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6E176FCC

Part of subcall function 6E174147: DName::DName.LIBCMT ref: 6E17415A
Part of subcall function 6E174147: DName::operator+.LIBCMT ref: 6E174161

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: ada3eab7e830d46dd3a4967eb2e22aa34028f190c9c4e6c1588606f1a0644663
Instruction ID: 81f18639bd44c891fa16c48b3d83776b2b1c2ec36fd03df5f84ab0e163971dff
Opcode Fuzzy Hash: ada3eab7e830d46dd3a4967eb2e22aa34028f190c9c4e6c1588606f1a0644663
Instruction Fuzzy Hash: 4DD13271900209AFDF20DFE8C895AEEBBF8EF19705F104456E515EB290DB349AC5EB60

Function 6E16EC9D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ECA5
__mtterm.LIBCMT ref: 6E16ECB1

Part of subcall function 6E16E97C: DecodePointer.KERNEL32(00000012,6E16A397,6E16A37D,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16E98D
Part of subcall function 6E16E97C: TlsFree.KERNEL32(0000000A,6E16A397,6E16A37D,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16E9A7
Part of subcall function 6E16E97C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6E16A397,6E16A37D,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E172325
Part of subcall function 6E16E97C: DeleteCriticalSection.KERNEL32(0000000A,?,?,6E16A397,6E16A37D,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E17234F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6E16ECC7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6E16ECD4
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6E16ECE1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6E16ECEE
TlsAlloc.KERNEL32(?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ED3E
TlsSetValue.KERNEL32(00000000,?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ED59
__init_pointers.LIBCMT ref: 6E16ED63
EncodePointer.KERNEL32(?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ED74
EncodePointer.KERNEL32(?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ED81
EncodePointer.KERNEL32(?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ED8E
EncodePointer.KERNEL32(?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16ED9B
DecodePointer.KERNEL32(Function_0006EB00,?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16EDBC
__calloc_crt.LIBCMT ref: 6E16EDD1
DecodePointer.KERNEL32(00000000,?,?,6E16A2D4,6E1995C0,00000008,6E16A468,?,?,?,6E1995E0,0000000C,6E16A523,?), ref: 6E16EDEB
GetCurrentThreadId.KERNEL32 ref: 6E16EDFD

Strings

FlsSetValue, xrefs: 6E16ECD6
FlsAlloc, xrefs: 6E16ECC1
FlsGetValue, xrefs: 6E16ECC9
FlsFree, xrefs: 6E16ECE3
KERNEL32.DLL, xrefs: 6E16ECA0

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1868149495-3819984048
Opcode ID: 0c908476b336245310ce82c2bf3e32e3ad0499e38a0317cc693c51266ac778e8
Instruction ID: de3a7ebb464484796d87f49062f7f6fb1cd483d3fa8d6d188737155163000ee2
Opcode Fuzzy Hash: 0c908476b336245310ce82c2bf3e32e3ad0499e38a0317cc693c51266ac778e8
Instruction Fuzzy Hash: F6314431900B199EDF10DFB99C0867F3FE9BF57654724861AE4249A250EB309691FF90

Function 6E110EA0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E110EF2
std::_Xinvalid_argument.LIBCPMT ref: 6E110F14
_memmove.LIBCMT ref: 6E110F70
_memmove.LIBCMT ref: 6E110F95
_memmove.LIBCMT ref: 6E110FA9
_memmove.LIBCMT ref: 6E110FDB
_memmove.LIBCMT ref: 6E111182
std::_Xinvalid_argument.LIBCPMT ref: 6E1111B6

Strings

invalid string position, xrefs: 6E1111B1
string too long, xrefs: 6E110EED, 6E110F0F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 494dfe0cf97af70b019d485e91f9409036088d1a4534ab745d54e3b258d08b39
Instruction ID: 7e68490232b9a644fa40d99ac677535ca3b8d71fb57df44400d157a81d86353a
Opcode Fuzzy Hash: 494dfe0cf97af70b019d485e91f9409036088d1a4534ab745d54e3b258d08b39
Instruction Fuzzy Hash: B9B17D71B181459BEB18CE9CCCA1ADFB3A6EB95304724492CF992CB740D630ECD5DBA1

Function 6E177FC4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 6E177FFF
DName::operator=.LIBCMT ref: 6E178013
DName::operator+=.LIBCMT ref: 6E178021
UnDecorator::getPtrRefType.LIBCMT ref: 6E17804D
UnDecorator::getDataIndirectType.LIBCMT ref: 6E1780CA
UnDecorator::getBasicDataType.LIBCMT ref: 6E1780D3
operator+.LIBCMT ref: 6E178166

Strings

volatile, xrefs: 6E17800B, 6E178139
std::nullptr_t, xrefs: 6E178122

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: 2f4215f4a057866f65d73ec51bec5883e3010aefadf5fe87f65892e8b3d41537
Instruction ID: c30afa2381b368ea5eaa12a6627493b4b3397f9d0745e341c8069e52c01b2c8d
Opcode Fuzzy Hash: 2f4215f4a057866f65d73ec51bec5883e3010aefadf5fe87f65892e8b3d41537
Instruction Fuzzy Hash: AE419B72504169AFCF31CFD8C8949EE7B78FB16B45F208466E9645B240D7319AC2EB50

Function 6E125140 Relevance: 21.2, APIs: 14, Instructions: 203COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E125177

Part of subcall function 6E132820: _malloc.LIBCMT ref: 6E132871

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000004), ref: 6E1251B9
SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6E1251D5
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 6E1251E5
_memmove.LIBCMT ref: 6E1251FF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E125208
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E12522C
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6E125263
VariantClear.OLEAUT32(?), ref: 6E12526C
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6E1252AD
VariantClear.OLEAUT32(?), ref: 6E1252B6
SafeArrayPutElement.OLEAUT32(00000000,00000002,00000002), ref: 6E1252D2
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E12534E
VariantClear.OLEAUT32(?), ref: 6E125358

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$ElementVariant$Clear$CreateDataVector$AccessDestroyInitUnaccess_malloc_memmove
String ID:
API String ID: 452649785-0
Opcode ID: f005801081594240637fc0bf0dae030ef00457590c0b9f63801d248363675173
Instruction ID: 4402d28c06e62f369bde6d1fa53656ee68450b98b34fe34c54ed986a239fb6c2
Opcode Fuzzy Hash: f005801081594240637fc0bf0dae030ef00457590c0b9f63801d248363675173
Instruction Fuzzy Hash: CD712E7190061AEFDB00CFA5C884AEFBBB8FF59704F108129E905D7241E774E985DBA1

Function 6E11F95E Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E11FA0F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E11FA22
SafeArrayGetElement.OLEAUT32 ref: 6E11FA5A

Part of subcall function 6E123A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E123B71
Part of subcall function 6E123A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E123B83

Part of subcall function 6E1269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E126A08
Part of subcall function 6E1269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E126A15
Part of subcall function 6E1269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E126A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Part of subcall function 6E11DFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E11DFF6
Part of subcall function 6E11DFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E11E003
Part of subcall function 6E11DFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E11E02F

Strings

RS{m, xrefs: 6E11FC3E
RS7m, xrefs: 6E11FC82

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: RS7m$RS{m
API String ID: 959723449-144615663
Opcode ID: 7d2e614608e21682d1e2b15266d387a02510df6359df3019fd16fe9e9c7c7319
Instruction ID: cb3adc86cad6d7894a7abcfdf3c31b912989192fe6ca4f8d75a26b2138f51530
Opcode Fuzzy Hash: 7d2e614608e21682d1e2b15266d387a02510df6359df3019fd16fe9e9c7c7319
Instruction Fuzzy Hash: 0DC17170A142059FDB40CFA8CC94FDDB7B9AF89304F2085A8E515AB286DB71EDC1DB50

Function 6E123690 Relevance: 18.2, APIs: 12, Instructions: 215COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E1236CD
VariantInit.OLEAUT32(?), ref: 6E1236DA
VariantInit.OLEAUT32(?), ref: 6E1236E0
VariantInit.OLEAUT32(?), ref: 6E1236E6
VariantInit.OLEAUT32 ref: 6E1237DD
VariantCopy.OLEAUT32(?,?), ref: 6E1237E4
VariantInit.OLEAUT32 ref: 6E123815
VariantCopy.OLEAUT32(?,?), ref: 6E12381C
VariantClear.OLEAUT32(?), ref: 6E1238A8
VariantClear.OLEAUT32(?), ref: 6E1238AE
VariantClear.OLEAUT32(?), ref: 6E1238B4
VariantClear.OLEAUT32(?), ref: 6E1238BA

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 2a3207fabbdfff3617b82defe0153e1fdf83404ce732bf59a70594ba9eca9605
Instruction ID: 01ec26779be6f84e0865f33a06c02fe9b1b5bf6e222236e7de57b60dfe479a94
Opcode Fuzzy Hash: 2a3207fabbdfff3617b82defe0153e1fdf83404ce732bf59a70594ba9eca9605
Instruction Fuzzy Hash: F9815C7190061AAFDF04DFE8CC84BEEBBB9BF49304F144569E505AB244DB34A985DB90

Function 6E12D880 Relevance: 18.2, APIs: 12, Instructions: 202COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E12D8EC
VariantInit.OLEAUT32 ref: 6E12D902
VariantInit.OLEAUT32(?), ref: 6E12D90D
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6E12D929
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6E12D966
VariantClear.OLEAUT32(?), ref: 6E12D973
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6E12D9B4
VariantClear.OLEAUT32(?), ref: 6E12D9C1
SafeArrayDestroy.OLEAUT32(?), ref: 6E12DA6F
VariantClear.OLEAUT32(?), ref: 6E12DA80
VariantClear.OLEAUT32(?), ref: 6E12DA87
VariantClear.OLEAUT32(?), ref: 6E12DA99

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: de571ec0da13a58408daf530597dae37765d62a10d5126ec3f5eb29c03245a8d
Instruction ID: 0e3f68124865b1d5158f3b60d9ddc688503410c968f847775aba362510a4f813
Opcode Fuzzy Hash: de571ec0da13a58408daf530597dae37765d62a10d5126ec3f5eb29c03245a8d
Instruction Fuzzy Hash: 2A8127721087029FC700CFA8C884B5BB7E8BFD9714F148A6DE99597240EB74E946DF92

Function 6E1112A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E1112DD
std::_Xinvalid_argument.LIBCPMT ref: 6E1112FB
_memmove.LIBCMT ref: 6E111368
_memmove.LIBCMT ref: 6E11139F
std::_Xinvalid_argument.LIBCPMT ref: 6E11140C

Strings

invalid string position, xrefs: 6E111407
string too long, xrefs: 6E1112D8, 6E1112F6

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: f479ca885e84b5b90fe41d327bde7bd28d39592917aa4269d32b468319894a8a
Instruction ID: d7765f5f77d9259d167c6543c24771ffb53d692ddead7608c73eeab63d4de827
Opcode Fuzzy Hash: f479ca885e84b5b90fe41d327bde7bd28d39592917aa4269d32b468319894a8a
Instruction Fuzzy Hash: 9E41B5313182054BE714CEDDD890ADEF3AAEBA1324720093EE591CBB44D730DCC9A7A2

Function 6E124BA0 Relevance: 15.5, APIs: 10, Instructions: 475COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E124BDC
VariantInit.OLEAUT32(?), ref: 6E124BE5
VariantInit.OLEAUT32(?), ref: 6E124BEB
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E124BF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E124C2A
VariantClear.OLEAUT32(?), ref: 6E124C37
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E125107
VariantClear.OLEAUT32(?), ref: 6E125117
VariantClear.OLEAUT32(?), ref: 6E12511D
VariantClear.OLEAUT32(?), ref: 6E125123

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 50698cea9948d416ae2e20118cc5ba18561fd944ebc010cd85fb92e9e0723fef
Instruction ID: f59d5044550868f8d1016d2def971d8bd7eabd3666623e3084c6cace95651b93
Opcode Fuzzy Hash: 50698cea9948d416ae2e20118cc5ba18561fd944ebc010cd85fb92e9e0723fef
Instruction Fuzzy Hash: 31120475615705AFC758DBD8DD84DAAB3B9BF8D300F144668F50AABB91CA30F841CB90

Function 6E1249B0 Relevance: 15.2, APIs: 10, Instructions: 174COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6E1805A8), ref: 6E1249EE
VariantInit.OLEAUT32(?), ref: 6E1249F7
VariantInit.OLEAUT32(?), ref: 6E1249FD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E124A08
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6E124A39
VariantClear.OLEAUT32(?), ref: 6E124A45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E124B66
VariantClear.OLEAUT32(?), ref: 6E124B76
VariantClear.OLEAUT32(?), ref: 6E124B7C
VariantClear.OLEAUT32(6E1805A8), ref: 6E124B82

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: e2e5704f2908a10b62b142771465e6005f197571207b441818e93625072d95d3
Instruction ID: 146df9e1f225bc7dce2fbeca4ceb0efc816a0c5351489a33826dceace6c92f94
Opcode Fuzzy Hash: e2e5704f2908a10b62b142771465e6005f197571207b441818e93625072d95d3
Instruction Fuzzy Hash: B6515F76A002199FDB04DFE4CC84EAEB7BCFF89310F144569E915EB244D735A982DBA0

Function 6E1247D0 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E12480C
VariantInit.OLEAUT32(?), ref: 6E124815
VariantInit.OLEAUT32(?), ref: 6E12481B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E124826
SafeArrayPutElement.OLEAUT32(00000000,000000FF,?), ref: 6E12485B
VariantClear.OLEAUT32(?), ref: 6E124868
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E124974
VariantClear.OLEAUT32(?), ref: 6E124984
VariantClear.OLEAUT32(?), ref: 6E12498A
VariantClear.OLEAUT32(?), ref: 6E124990

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 3d0bc766783f3a30ab5fa105e28ebe3a6c637b20446f3cb83e55082449982f60
Instruction ID: b1654122493f0c39eab85e5f73dd9801241cf86bddf71242c5e34e8055559aa0
Opcode Fuzzy Hash: 3d0bc766783f3a30ab5fa105e28ebe3a6c637b20446f3cb83e55082449982f60
Instruction Fuzzy Hash: 37514D729002499FDB14DFE4CC80EAEB7B9FF89310F14456DE506AB644DB30A986DB90

Function 6E11DCD0 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E11DD00
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000003), ref: 6E11DD10
SafeArrayPutElement.OLEAUT32(00000000,6E122FFF,?), ref: 6E11DD47
VariantClear.OLEAUT32(?), ref: 6E11DD4F
SafeArrayPutElement.OLEAUT32(00000000,6E122FFF,?), ref: 6E11DD6D
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6E11DDA4
VariantClear.OLEAUT32(?), ref: 6E11DDAC
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E11DE16
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E11DE27
VariantClear.OLEAUT32(?), ref: 6E11DE31

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Variant$ClearElement$Destroy$CreateInitVector
String ID:
API String ID: 3525949229-0
Opcode ID: 6acfc880e8f563e01f4f6b980484e6762be59b9b5c844d40971e86e0d521fb34
Instruction ID: 1e8066d1d05bfcdb8081b4812e736b61bd7c3203bbcdd47f251a4ddd894e1070
Opcode Fuzzy Hash: 6acfc880e8f563e01f4f6b980484e6762be59b9b5c844d40971e86e0d521fb34
Instruction Fuzzy Hash: 0E516F75A05609AFDB00DFA4C884EDFBBB8FF5A701F118129EA1597350DB34A941DFA0

Function 6E13C1B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E13C213

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

Strings

gfff, xrefs: 6E13C3A3
gfff, xrefs: 6E13C259
gfff, xrefs: 6E13C1F2
vector<T> too long, xrefs: 6E13C20E
gfff, xrefs: 6E13C2EA
gfff, xrefs: 6E13C3F7
gfff, xrefs: 6E13C222

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$gfff$gfff$gfff$gfff$vector<T> too long
API String ID: 1823113695-1254974138
Opcode ID: 0264c04571b3cdcabfcd2070421550230ae816008af6d095e0e976b03d67afcc
Instruction ID: 7c28b01a0dab7e753ebbfbc7188e798ba3243b293ac4ceeae885af283f21c0e2
Opcode Fuzzy Hash: 0264c04571b3cdcabfcd2070421550230ae816008af6d095e0e976b03d67afcc
Instruction Fuzzy Hash: 76918A75A006099FC718CF99DC90EEEB7B9EB88314F14861DE559DB344E730B944CB91

Function 6E110CD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E110D3A
std::_Xinvalid_argument.LIBCPMT ref: 6E110D60
_memmove.LIBCMT ref: 6E110D95
std::_Xinvalid_argument.LIBCPMT ref: 6E110DBF
_memmove.LIBCMT ref: 6E110E3E

Strings

invalid string position, xrefs: 6E110D35
string too long, xrefs: 6E110D5B, 6E110DBA

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 1776291ee44f0fe993de1fa567ddbdedef96f29b727657b53008b549c907640d
Instruction ID: ffb7e83263c3f281796660e3cc71759e405c1064a79a8e224d3c3eae78a70142
Opcode Fuzzy Hash: 1776291ee44f0fe993de1fa567ddbdedef96f29b727657b53008b549c907640d
Instruction Fuzzy Hash: 6851C631B181059BDB24CE9DD890ADFB7AADBC5310B20493EE955C7784E770ECE09791

Function 6E131B20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6E131C5E
LoadLibraryW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6E131C69
GetProcAddress.KERNEL32(00000000,F1F2E532), ref: 6E131CA2
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6E131CC1
LoadLibraryW.KERNEL32(kernel32.dll,?,00000000), ref: 6E131CCC
GetProcAddress.KERNEL32(00000000,EFF3E52B), ref: 6E131D0A

Strings

User32.dll, xrefs: 6E131C57, 6E131C64
kernel32.dll, xrefs: 6E131CBA, 6E131CC7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: User32.dll$kernel32.dll
API String ID: 310444273-1965990335
Opcode ID: 1a77830f1d6e5bd7053f614f0041ebf8003a8a30d37e455496aea9858aad9067
Instruction ID: 423a6711968db2a5e8eaf4cb3d1ccca8d77c795515670f1320132fa603e17aec
Opcode Fuzzy Hash: 1a77830f1d6e5bd7053f614f0041ebf8003a8a30d37e455496aea9858aad9067
Instruction Fuzzy Hash: 1C616274204A108FD760CF98C581A9BBBF6FF46310F708918D5979BB42DB35E88AEB41

Function 6E174409 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 6E17442E

Part of subcall function 6E173FC9: Replicator::operator[].LIBCMT ref: 6E17404C
Part of subcall function 6E173FC9: DName::operator+=.LIBCMT ref: 6E174054

DName::operator+.LIBCMT ref: 6E174487
DName::DName.LIBCMT ref: 6E1744DF

Strings

..., xrefs: 6E1744C2
void, xrefs: 6E1744D7
,<ellipsis>, xrefs: 6E17447A, 6E17447F
<ellipsis>, xrefs: 6E1744C9, 6E1744CE
,..., xrefs: 6E174473

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 73b9ed1cb9eac15e441cb60cdbf16f8805e4c9cc8e95f35c30909d7c372964ae
Instruction ID: 60a0c3eac19874d4c312cbd3ea8ffeb07dff6df18d1d59988744de264c3144f2
Opcode Fuzzy Hash: 73b9ed1cb9eac15e441cb60cdbf16f8805e4c9cc8e95f35c30909d7c372964ae
Instruction Fuzzy Hash: 2A214CB46006099FCF11CF9CC4549A97BF5AB5A789B208195E86ADF316CB30D9C3FB50

Function 6E175D36 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6E175D40
DName::DName.LIBCMT ref: 6E175D4C

Part of subcall function 6E173B3B: DName::doPchar.LIBCMT ref: 6E173B6C

UnDecorator::getScopedName.LIBCMT ref: 6E175D8B
DName::operator+=.LIBCMT ref: 6E175D95
DName::operator+=.LIBCMT ref: 6E175DA4
DName::operator+=.LIBCMT ref: 6E175DB0
DName::operator+=.LIBCMT ref: 6E175DBD

Strings

void, xrefs: 6E175D9C

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 2f22e54701292201c54e715e4284b85470ea4c0481ed4c650da1705ed392fc02
Instruction ID: 038b804700363d3d384bb31ad27bd37cda146c288175fae7117ef2afc3e1db5c
Opcode Fuzzy Hash: 2f22e54701292201c54e715e4284b85470ea4c0481ed4c650da1705ed392fc02
Instruction Fuzzy Hash: 421182B0500208AFDF15DFE8C89CBEE7BB4EB11B05F004098D4559B2A5DB709EC6EB41

Function 6E12C850 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E12C88F
VariantInit.OLEAUT32(?), ref: 6E12C895
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12C8A0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6E12C8D5
VariantClear.OLEAUT32(?), ref: 6E12C8E1
std::tr1::_Xweak.LIBCPMT ref: 6E12CB1C
SafeArrayDestroy.OLEAUT32(?), ref: 6E12CB39
VariantClear.OLEAUT32(?), ref: 6E12CB49
VariantClear.OLEAUT32(?), ref: 6E12CB4F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 7a7c963767d65d481c0f0fa58973e02fe823352a88f7c19e34c61109028fc4d3
Instruction ID: be145c923fbb5cc9c20345b9b288746d4e0e39bf79b92dbcedb70342a736cb38
Opcode Fuzzy Hash: 7a7c963767d65d481c0f0fa58973e02fe823352a88f7c19e34c61109028fc4d3
Instruction Fuzzy Hash: 96B13775600609AFCB14DF98CC84DEAB7F9BF8D310F158568E606AB791DA34F881DB60

Function 6E123F10 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E123F7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E123F8D
VariantInit.OLEAUT32(?), ref: 6E123FB7
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E123FD0
VariantClear.OLEAUT32(?), ref: 6E1240C9
VariantClear.OLEAUT32(?), ref: 6E124105
SafeArrayDestroy.OLEAUT32(?), ref: 6E124123
VariantClear.OLEAUT32(?), ref: 6E124157
VariantClear.OLEAUT32(?), ref: 6E124168

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Bound$DestroyElementInit
String ID:
API String ID: 758290628-0
Opcode ID: bf2ec36e2cf5ad3aacafdc049254629451db0e3c8abe8af6b8d5258c7d922882
Instruction ID: 5e9cf6111d3b6b4d9924745a645c376e79dde298608b7dcdf4ac5c7a3a399a1e
Opcode Fuzzy Hash: bf2ec36e2cf5ad3aacafdc049254629451db0e3c8abe8af6b8d5258c7d922882
Instruction Fuzzy Hash: B0716D761083429FC700DFA8C8C499BBBE9FB99700F144A2CF59587250D775E9C6DB92

Function 6E10FC30 Relevance: 13.7, APIs: 9, Instructions: 154fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,4F740BFF), ref: 6E10FC98
CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,4F740BFF), ref: 6E10FCAD
CloseHandle.KERNEL32(?,?,?,00000000,4F740BFF), ref: 6E10FCB7
SetLastError.KERNEL32(00000000,?,?,00000000,4F740BFF), ref: 6E10FCBA
CreateFileW.KERNEL32(?,-00000001,00000001,00000000,00000003,00000000,00000000,?,?,00000000,4F740BFF), ref: 6E10FD01
GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,4F740BFF), ref: 6E10FD14
GetLastError.KERNEL32(?,?,00000000,4F740BFF), ref: 6E10FD2A
CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,4F740BFF), ref: 6E10FD6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00000000,4F740BFF), ref: 6E10FD98

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastView$MappingSizeUnmap
String ID:
API String ID: 1303881157-0
Opcode ID: 056fb4d94bb57d3d065df235a590442e75454e7614ec3043ee552158933cf788
Instruction ID: 603e2e369dcb97a2a2f2479f9a02e3b4ed53b5d43db1acbca5ad16f5e9a9881d
Opcode Fuzzy Hash: 056fb4d94bb57d3d065df235a590442e75454e7614ec3043ee552158933cf788
Instruction Fuzzy Hash: C851D6B56043019FDB408F74C896B9B77A8AB4D320F358659EC24CF2C5DF74D882ABA4

Function 6E1642B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E1642DD

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E164363
_memmove.LIBCMT ref: 6E164381
_memmove.LIBCMT ref: 6E1643E6
_memmove.LIBCMT ref: 6E164453
_memmove.LIBCMT ref: 6E164474

Strings

vector<T> too long, xrefs: 6E1642D8

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 4034224661-3788999226
Opcode ID: 4b6aeee1ebd4a23ae7ed81b4484d9d45ec07c23dbcb5de6a04ed0259e1e9fdb7
Instruction ID: e7e140d4c3892a2477634386536e7fc8bcc5084c46df37886aea4bb34e3ee772
Opcode Fuzzy Hash: 4b6aeee1ebd4a23ae7ed81b4484d9d45ec07c23dbcb5de6a04ed0259e1e9fdb7
Instruction Fuzzy Hash: 0551C0B27043028FC718CFA8DC94D6BB7E9EBD4214F184E2DE896C3344E671E945C6A1

Function 6E134B60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E134BC8
std::_Xinvalid_argument.LIBCPMT ref: 6E134BE0
std::_Xinvalid_argument.LIBCPMT ref: 6E134BFA
_memmove.LIBCMT ref: 6E134C64
_memmove.LIBCMT ref: 6E134C81

Strings

invalid string position, xrefs: 6E134BC3
string too long, xrefs: 6E134BDB, 6E134BF5

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 0acac290d178e253c040d52d58d2356ce6d5d77667f4a0deda6515d6d2ca5980
Instruction ID: 0c2d89591d97da3ae60b266b2338374adcb21457974d1407b437d1d709a85004
Opcode Fuzzy Hash: 0acac290d178e253c040d52d58d2356ce6d5d77667f4a0deda6515d6d2ca5980
Instruction Fuzzy Hash: 5341D4323042218FE724CE9DE890E6EF3EAEB95714B710D1EE152C7794C7629CC69761

Function 6E11FFEA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RSDi, xrefs: 6E120075

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSDi
API String ID: 4225690600-559181253
Opcode ID: 8575ed201db9583555cdeb3242fca2843b550241517ef6415b06738031229768
Instruction ID: 024126941bad435763f70103ddf27b3729850b62f5277daf765ccf794e224995
Opcode Fuzzy Hash: 8575ed201db9583555cdeb3242fca2843b550241517ef6415b06738031229768
Instruction Fuzzy Hash: A0413974A006099FDB40CFA9CD90E5EB7FAAF99300F60869AE509DB355DB31E881DF50

Function 6E120815 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RSUa, xrefs: 6E120864

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSUa
API String ID: 4225690600-2086061799
Opcode ID: e5060edf4871e8457d5baa4b565d7dd669d34a9a751a9d3f97010fe81d8cce0d
Instruction ID: 63b2760b307bcaeaac47fdd804c49c11a166aa422075daae9ae41f28b1795b44
Opcode Fuzzy Hash: e5060edf4871e8457d5baa4b565d7dd669d34a9a751a9d3f97010fe81d8cce0d
Instruction Fuzzy Hash: 58314870E006099FDB40CFA9CD90B9EB7B9AF99300F20869AE418E7251DB71E9C1DF50

Function 6E1206F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RSqb, xrefs: 6E120748

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSqb
API String ID: 4225690600-347567867
Opcode ID: 42666d571609ab911d3549f8b0994194baaf34d35f6d3edb02bc90efb8018112
Instruction ID: 4bda4166469ca020de05308dac64174f9b9b2f790a2d21496cca53874f5006b8
Opcode Fuzzy Hash: 42666d571609ab911d3549f8b0994194baaf34d35f6d3edb02bc90efb8018112
Instruction Fuzzy Hash: FB314B70E006099FCB40CFA9CD90B9EB7B9AF99300F208596E418E7251DB75D9C1DF50

Function 6E120787 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RSa, xrefs: 6E1207D6

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSa
API String ID: 4225690600-3169278968
Opcode ID: b1fe2efd251a2831e527ccca006329b13c1c8479a5d384352ee739502a14e031
Instruction ID: e486220684a7cdcb32117ddf889a4692155c2f6c4c8f8b3374298c005c6ce249
Opcode Fuzzy Hash: b1fe2efd251a2831e527ccca006329b13c1c8479a5d384352ee739502a14e031
Instruction Fuzzy Hash: BC314B70E106099FCB40CFA9CD90B9EB7B9AF99300F2085AAE418E7251DB71E9C1DF50

Function 6E120237 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RS3g, xrefs: 6E120286

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS3g
API String ID: 4225690600-2794631155
Opcode ID: 8582385c92e6cee54f3ef8fc43261b2dce55b9f6c98707734954fed16981a6b0
Instruction ID: 1b47d6b3e9882538a06abc9b3ea0bd48fe8a57e17aa6d28aebc164d230f38707
Opcode Fuzzy Hash: 8582385c92e6cee54f3ef8fc43261b2dce55b9f6c98707734954fed16981a6b0
Instruction Fuzzy Hash: 1D314B70E106099FCB40CFA9CD90B9EB7F9AF99200F2086A6E418E7255DB71E9C1DF50

Function 6E12012D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RS:h, xrefs: 6E12017F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS:h
API String ID: 4225690600-3891202347
Opcode ID: 6089819031c0e7c4d4d681d5eeb9e3f531c6871b5041c7fd51766367a8fe1c64
Instruction ID: a2c9c3871de819001dd36c7a6989e3c94abeb2e05e62c28f61eacf88bd294b17
Opcode Fuzzy Hash: 6089819031c0e7c4d4d681d5eeb9e3f531c6871b5041c7fd51766367a8fe1c64
Instruction Fuzzy Hash: 5B313B70E006099FDB40CFA9CD90B9EB7B9AF99200F2085A6E418E7255DB75EDC1DF50

Function 6E15C760 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E15C7EB

Strings

Prime1, xrefs: 6E15C88A
PrivateExponent, xrefs: 6E15C85F
ModPrime2PrivateExponent, xrefs: 6E15C82C
Prime2, xrefs: 6E15C876
ModPrime1PrivateExponent, xrefs: 6E15C840
MultiplicativeInverseOfPrime2ModPrime1, xrefs: 6E15C815

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: type_info::operator!=
String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent
API String ID: 2241493438-339133643
Opcode ID: 659ca8f2249571f50281ee8a5fe93a306ef4301838112e538fa066f2599df11a
Instruction ID: 1628b446260f1dd477c82ab4125836cc2b86d59c870bd2f34f7c6f98115ebf2a
Opcode Fuzzy Hash: 659ca8f2249571f50281ee8a5fe93a306ef4301838112e538fa066f2599df11a
Instruction Fuzzy Hash: 7A316CB0A143458FC700DFB8C85558BBBE5AFD5204F044A6EF565AF360EB70D898DB82

Function 6E120457 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Strings

RS%e, xrefs: 6E120494

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS%e
API String ID: 4225690600-1409579784
Opcode ID: 6a51ed9379e67d3de901809ee5ecb4eda26130a33eebe48e32bbb5dea7cb8f5c
Instruction ID: f4c9e79f1d0ca8619029572bb522741e614763762ae55e587a68debd44cfb0c2
Opcode Fuzzy Hash: 6a51ed9379e67d3de901809ee5ecb4eda26130a33eebe48e32bbb5dea7cb8f5c
Instruction Fuzzy Hash: 3C314970E106189FCB10CBA9CC90B9DB7BAAF99300F2086AAE418E7251DB75DDC0DF50

Function 6E11AA00 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E11AA54
VariantInit.OLEAUT32(?), ref: 6E11AA5B
VariantInit.OLEAUT32(?), ref: 6E11AA62
VariantInit.OLEAUT32(?), ref: 6E11AA69
VariantClear.OLEAUT32(?), ref: 6E11ACF2
VariantClear.OLEAUT32(?), ref: 6E11ACF9
VariantClear.OLEAUT32(?), ref: 6E11AD00
VariantClear.OLEAUT32(?), ref: 6E11AD07

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: a025ae15969f51bfa1adbcb3dab2d0c326f1e1a83ddfbda63c78345fc9ee7101
Instruction ID: 3c26095c5ca33a5ff0e73aaaa12cc9743cdc923e2ecb677223e9304212384295
Opcode Fuzzy Hash: a025ae15969f51bfa1adbcb3dab2d0c326f1e1a83ddfbda63c78345fc9ee7101
Instruction Fuzzy Hash: 3AC149716087419FC300DF98C880A9BBBE9FFD8304F648A5DF5948B265D735E889DB92

Function 6E119D00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E119DEB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E119DFB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E119E29
SafeArrayDestroy.OLEAUT32(?), ref: 6E119F25
VariantClear.OLEAUT32(?), ref: 6E119FE5

Strings

@, xrefs: 6E119DD7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: 058163b3250464a5863a2febcd79a74e7430111c1335a74fcb097e7d3c976235
Instruction ID: 0ec8238f964c6e7ae9ba887b42df6b908bf072386dd9334956df5dcb5db89d14
Opcode Fuzzy Hash: 058163b3250464a5863a2febcd79a74e7430111c1335a74fcb097e7d3c976235
Instruction Fuzzy Hash: 28D16A71D0824A9FDF00DFE8C890ADDBBB6BF49304F24856DE525AB244D731AA85DB90

Function 6E11B300 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E11B3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E11B3FB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E11B429
SafeArrayDestroy.OLEAUT32(?), ref: 6E11B525
VariantClear.OLEAUT32(?), ref: 6E11B5E5

Strings

@, xrefs: 6E11B3D7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: 3b021f3331312ce24d173514ed8255364857a98c63af03e38b645443ce0352b6
Instruction ID: 4d8d9e96267e2abc503b16521f70ecebdabb92d70942e88ac8cce66144394bcc
Opcode Fuzzy Hash: 3b021f3331312ce24d173514ed8255364857a98c63af03e38b645443ce0352b6
Instruction Fuzzy Hash: CBD16A71E0424ACFDB00DFE8C890AEDBBB5BF58304F648569E515AB358D730AA85DF90

Function 6E141580 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 277COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E1416B2

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

__CxxThrowException@8.LIBCMT ref: 6E14180A

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

Strings

exceeds the maximum of , xrefs: 6E14173F
: message length of , xrefs: 6E14170D
for this public key, xrefs: 6E141771
: this key is too short to encrypt any messages, xrefs: 6E14162A

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_
String ID: exceeds the maximum of $ for this public key$: message length of $: this key is too short to encrypt any messages
API String ID: 3807434085-412673420
Opcode ID: 8e3b89c62b936d1064dee845b0adb7fa5ba1da10d4c548f9396e2b686af5b17c
Instruction ID: ffea2049aac36e5b931a5c750dc77d27d96bbe5a3d7f1eb30c6f1bba2d85c069
Opcode Fuzzy Hash: 8e3b89c62b936d1064dee845b0adb7fa5ba1da10d4c548f9396e2b686af5b17c
Instruction Fuzzy Hash: 42B15D712083809FD320DBA9C890FDBBBE9AFD9314F04891DE19D87351DB70A9459BA3

Function 6E161250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E16126E

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E1612E0
_memmove.LIBCMT ref: 6E161305
_memmove.LIBCMT ref: 6E161342
_memmove.LIBCMT ref: 6E16135F

Strings

deque<T> too long, xrefs: 6E161269

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 5a80f78740d9fc5a7b47b2c1451bad4d167a11929f8cbfe346603447a338e10e
Instruction ID: c765adb078b0c90367258fcae2ea5e32b1b7ce2fca3249a9240dc8d82926f7bc
Opcode Fuzzy Hash: 5a80f78740d9fc5a7b47b2c1451bad4d167a11929f8cbfe346603447a338e10e
Instruction Fuzzy Hash: 7F410872B042014BD704CFA8DC9066BB7EAEBD4220F198A2CE809D7354FA34ED59C7A1

Function 6E1613A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E1613BE

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E161431
_memmove.LIBCMT ref: 6E161456
_memmove.LIBCMT ref: 6E161493
_memmove.LIBCMT ref: 6E1614B0

Strings

deque<T> too long, xrefs: 6E1613B9

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 2c429fafd9e564acc290f530f60762cd60a714ee35ffa7f2358f94a8698cfcd1
Instruction ID: 4f8ecfc1882984b5be0eb6bac30d872f8b1bd381944dea2a51b6545c2c246e56
Opcode Fuzzy Hash: 2c429fafd9e564acc290f530f60762cd60a714ee35ffa7f2358f94a8698cfcd1
Instruction Fuzzy Hash: 3141E472B042054BD704CFA8DC9196BB7EAABD4220F198A2CE809D7344FB34ED5987A1

Function 6E104D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E104DA9

Part of subcall function 6E169125: std::exception::exception.LIBCMT ref: 6E16913A
Part of subcall function 6E169125: __CxxThrowException@8.LIBCMT ref: 6E16914F
Part of subcall function 6E169125: std::exception::exception.LIBCMT ref: 6E169160

std::_Xinvalid_argument.LIBCPMT ref: 6E104DCA
std::_Xinvalid_argument.LIBCPMT ref: 6E104DE5
_memmove.LIBCMT ref: 6E104E4D

Strings

invalid string position, xrefs: 6E104DA4
string too long, xrefs: 6E104DC5, 6E104DE0

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 915eaae791ed93fff8d70cf6a4543f267c49d2ac26499ba019da3b0e842ab89e
Instruction ID: 762646bde3ea818777dbded75c7dcb01c52ca322687605f405732a3a0e611e76
Opcode Fuzzy Hash: 915eaae791ed93fff8d70cf6a4543f267c49d2ac26499ba019da3b0e842ab89e
Instruction Fuzzy Hash: D431CA323042158FD724CEDCE8D0A5AF3E9ABB4725B200A2EE552CB740DB71D8C1D791

Function 6E1744E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6E174532
DName::operator+.LIBCMT ref: 6E174539
DName::DName.LIBCMT ref: 6E17455B
DName::operator+.LIBCMT ref: 6E174562
DName::operator+.LIBCMT ref: 6E174569

Strings

throw(, xrefs: 6E17452A, 6E174553

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: 488aaa6b43221776043800bb19772460f7e0527982c2f32c15531d7cb3f66107
Instruction ID: 614a5629c185db6e5aef17344e232fcf0b1ccdb5a81b57368b9997c8a7ce2c64
Opcode Fuzzy Hash: 488aaa6b43221776043800bb19772460f7e0527982c2f32c15531d7cb3f66107
Instruction Fuzzy Hash: D10180B0610109AFCF14DFE8C859DEE7BB9EB48B08F404455E9019B294DB30A987AB90

Function 6E16CCF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 6E16CCFA

Part of subcall function 6E16EA6D: GetLastError.KERNEL32(?,?,6E16D7DD,6E169DEF,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E16EA71
Part of subcall function 6E16EA6D: ___set_flsgetvalue.LIBCMT ref: 6E16EA7F
Part of subcall function 6E16EA6D: __calloc_crt.LIBCMT ref: 6E16EA93
Part of subcall function 6E16EA6D: DecodePointer.KERNEL32(00000000,?,?,6E16D7DD,6E169DEF,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E16EAAD
Part of subcall function 6E16EA6D: GetCurrentThreadId.KERNEL32 ref: 6E16EAC3
Part of subcall function 6E16EA6D: SetLastError.KERNEL32(00000000,?,?,6E16D7DD,6E169DEF,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E16EADB

__calloc_crt.LIBCMT ref: 6E16CD1C
__get_sys_err_msg.LIBCMT ref: 6E16CD3A
_strcpy_s.LIBCMT ref: 6E16CD42
__invoke_watson.LIBCMT ref: 6E16CD57

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6E16CD07, 6E16CD2A

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: a6dc3a7cfef7509be9af599571e784deb4ac0a51eb71081e249d338232531d70
Instruction ID: 57c97fe7a3a21bc998c582e3dda201c8f2af0ebd3eb0429e7852d0ccb1b100de
Opcode Fuzzy Hash: a6dc3a7cfef7509be9af599571e784deb4ac0a51eb71081e249d338232531d70
Instruction Fuzzy Hash: 0BF02B736043242BCB1065E99C8099F7BAD9B91768B610C3AF50CBF100E6259CE075D4

Function 6E16E9B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6E199880,00000008,6E16EAC1,00000000,00000000,?,?,6E16D7DD,6E169DEF,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E16E9CA
__lock.LIBCMT ref: 6E16E9FE

Part of subcall function 6E172438: __mtinitlocknum.LIBCMT ref: 6E17244E
Part of subcall function 6E172438: __amsg_exit.LIBCMT ref: 6E17245A
Part of subcall function 6E172438: EnterCriticalSection.KERNEL32(6E169BD4,6E169BD4,?,6E16EA03,0000000D), ref: 6E172462

InterlockedIncrement.KERNEL32(FFFFFEF5), ref: 6E16EA0B
__lock.LIBCMT ref: 6E16EA1F
___addlocaleref.LIBCMT ref: 6E16EA3D

Strings

KERNEL32.DLL, xrefs: 6E16E9C5

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 249c62e4f43825e20369b2bf0b25965101b35c6e5cfdea3527ddec802362d61b
Instruction ID: 213b31c79ae176d3f061daa71c9fe8be5541a8a8bdf2227e95db676efc60d165
Opcode Fuzzy Hash: 249c62e4f43825e20369b2bf0b25965101b35c6e5cfdea3527ddec802362d61b
Instruction Fuzzy Hash: 6F015EB1445B00DED720DFA9C80478ABBE4AF41318F20890DD596976A0CB74A685EF11

Function 6E11E120 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6E11E29B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6E11E2B6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6E11E2D7

Part of subcall function 6E125760: std::tr1::_Xweak.LIBCPMT ref: 6E125769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E11E309

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6E11E523
InterlockedCompareExchange.KERNEL32(6E1AC6A4,45524548,4B4F4F4C), ref: 6E11E544

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: 4853704c45be80ebaabac84d736e535437776f1b5714461eda5bae01139397dd
Instruction ID: 6571242805acadd0c71edea3579325133d702ac836bbdd551e02ab0bdaec85fb
Opcode Fuzzy Hash: 4853704c45be80ebaabac84d736e535437776f1b5714461eda5bae01139397dd
Instruction Fuzzy Hash: E7D1B2B1A042059FDB50CFE4C894BDE77B9AF45304F148479E506EB680E774EA84EBA1

Function 6E128A9A Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 8575ed201db9583555cdeb3242fca2843b550241517ef6415b06738031229768
Instruction ID: 319635170ad5031f8be7d99318c36930e9370192bc250ae57932f5606a02becd
Opcode Fuzzy Hash: 8575ed201db9583555cdeb3242fca2843b550241517ef6415b06738031229768
Instruction Fuzzy Hash: 3A416974A006099FCB40CFA9CD90A5EB7FAAF99300F20859AE509DB355DB31EC82DF50

Function 6E128DE8 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 85e507a8463ffd4a6748bc765af54c657c09be3e32b58f2a3140d9dba0715729
Instruction ID: 5306580b0f624b24038678f878333de114e39715079d8dc02e3b781de2cca5c7
Opcode Fuzzy Hash: 85e507a8463ffd4a6748bc765af54c657c09be3e32b58f2a3140d9dba0715729
Instruction Fuzzy Hash: 3B415D70A006199FDB00DFA8CC90B9EB7B9AF99200F2085A6E518E7255DB31E981DF50

Function 6E120338 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 85e507a8463ffd4a6748bc765af54c657c09be3e32b58f2a3140d9dba0715729
Instruction ID: 4b54e632e2aee74d0bc9db8216310714cb50830870fb4ddf3c27738a3c5a0ea5
Opcode Fuzzy Hash: 85e507a8463ffd4a6748bc765af54c657c09be3e32b58f2a3140d9dba0715729
Instruction Fuzzy Hash: 7B415E70A006099FCB40CFA9CD90F9EB7F9AF99200F2086A6E518E7255DB31DD81DF50

Function 6E128F83 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 65b6b91cf78f3e2b8ebcf331e3c549afdf09368bad5f44631a283b9a01686c5c
Instruction ID: 359a05ea4232b146f3bb4a34eb65d7523f17ab8881b1244e09ba1f756e56920a
Opcode Fuzzy Hash: 65b6b91cf78f3e2b8ebcf331e3c549afdf09368bad5f44631a283b9a01686c5c
Instruction Fuzzy Hash: 82313970A006099FCB40CFA8CC90B9EB7BAAF99200F208596E519E7255DB75ED81DF50

Function 6E128CE7 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 8582385c92e6cee54f3ef8fc43261b2dce55b9f6c98707734954fed16981a6b0
Instruction ID: 5d7e251cc2b7357366b6365fd5bf265dd2144f86da435038a38037793fcd3d99
Opcode Fuzzy Hash: 8582385c92e6cee54f3ef8fc43261b2dce55b9f6c98707734954fed16981a6b0
Instruction Fuzzy Hash: 52315C70E006099FCB40CFA8CD90B9EB7B9AF99200F208696E419E7255DB71EDC1DF50

Function 6E128BDD Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 6089819031c0e7c4d4d681d5eeb9e3f531c6871b5041c7fd51766367a8fe1c64
Instruction ID: 660d5d45bc287953778f224b89d4cf81f4b39a9cd3f3b0f4f4a74be881e57e72
Opcode Fuzzy Hash: 6089819031c0e7c4d4d681d5eeb9e3f531c6871b5041c7fd51766367a8fe1c64
Instruction Fuzzy Hash: A9315A70E006099FCB00CFA8CC90B9EB7B9AF99200F20859AE419E7255DB75EDC1DF50

Function 6E120668 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 9884b3cae87280f6e1786e76c9dfee5cc7891abbd7c23a3a9010c9ff41f1f51e
Instruction ID: 113658e689768bb799b9b08278e7c16993db8d4950fd5ccc3fd2f3383490c632
Opcode Fuzzy Hash: 9884b3cae87280f6e1786e76c9dfee5cc7891abbd7c23a3a9010c9ff41f1f51e
Instruction Fuzzy Hash: 70314C70E106099FCB40CFA9CD90B9EB7B9AF99200F2085A6E418E7251DB71D9C0DF50

Function 6E1204D3 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 65b6b91cf78f3e2b8ebcf331e3c549afdf09368bad5f44631a283b9a01686c5c
Instruction ID: b045fd338865f7af93626e53971d950aee296f4cf8a22acff9ebb087343575fa
Opcode Fuzzy Hash: 65b6b91cf78f3e2b8ebcf331e3c549afdf09368bad5f44631a283b9a01686c5c
Instruction Fuzzy Hash: 32314870E106099FCB40CFA9CC90B9EB7B9AF99200F20859AE418EB251DB75E9C1DB50

Function 6E1205DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: ed9382c9c509efe487270c0ba6b18faf8a0ce449122af25062c27c0892664562
Instruction ID: c086a54bf8a16ee97595cb04387c89b7b1ef33043ce0e2354e64c6da19842618
Opcode Fuzzy Hash: ed9382c9c509efe487270c0ba6b18faf8a0ce449122af25062c27c0892664562
Instruction Fuzzy Hash: B1313D70E106199FCB40CFA9CD90B9EB7B9AF99200F208596E418E7251D775DDC1DF50

Function 6E129237 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: b1fe2efd251a2831e527ccca006329b13c1c8479a5d384352ee739502a14e031
Instruction ID: a37753d1cd6411c180f75a630cc5343f11692268fd3becfd5129833e4b941455
Opcode Fuzzy Hash: b1fe2efd251a2831e527ccca006329b13c1c8479a5d384352ee739502a14e031
Instruction Fuzzy Hash: 36314870A006099FCB40DFA8CC90B9EB7B9AF99200F20859AE419EB251DB75E981DF50

Function 6E1292C5 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: e5060edf4871e8457d5baa4b565d7dd669d34a9a751a9d3f97010fe81d8cce0d
Instruction ID: 6a56b87ae9208a2c2df53831320e2737b940c595bdca9988399d9662b95f40ec
Opcode Fuzzy Hash: e5060edf4871e8457d5baa4b565d7dd669d34a9a751a9d3f97010fe81d8cce0d
Instruction Fuzzy Hash: B3313970A006199FCB40CBA8CD90B9EB7B9AF99200F208596E419E7255DB75EDC1DF50

Function 6E12908A Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: ed9382c9c509efe487270c0ba6b18faf8a0ce449122af25062c27c0892664562
Instruction ID: 57bd9fce65f414a3322ce55ace2ef5e3d4d6ab8b87e4b2d9763e029918893486
Opcode Fuzzy Hash: ed9382c9c509efe487270c0ba6b18faf8a0ce449122af25062c27c0892664562
Instruction Fuzzy Hash: FE314970E006199FCB40CFA8CD90B9EB7BDAF99200F20859AE518EB251DB35ED81DF50

Function 6E129118 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 9884b3cae87280f6e1786e76c9dfee5cc7891abbd7c23a3a9010c9ff41f1f51e
Instruction ID: 5ee93f8606412d227af1234366ee5be84df16d41db8295c08c2d69efeb18e4fd
Opcode Fuzzy Hash: 9884b3cae87280f6e1786e76c9dfee5cc7891abbd7c23a3a9010c9ff41f1f51e
Instruction Fuzzy Hash: 1B314B70A006099FCB40CFA9CD90B9EB7B9AF99200F2085A6E419E7251DB71E981DF50

Function 6E1291A9 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 42666d571609ab911d3549f8b0994194baaf34d35f6d3edb02bc90efb8018112
Instruction ID: bca2466b68d4490a683c5e2cdcd19f12521c67219aacad01e0087499516ef5b1
Opcode Fuzzy Hash: 42666d571609ab911d3549f8b0994194baaf34d35f6d3edb02bc90efb8018112
Instruction Fuzzy Hash: 69315970E006099FCB40CFA9CD90B9EB7B9AF99200F20859AE419EB255DB75EDC1DF50

Function 6E12C150 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6E12C180
SafeArrayPutElement.OLEAUT32(00000000,6E123749,?), ref: 6E12C1B8
VariantClear.OLEAUT32(?), ref: 6E12C1C4
VariantCopy.OLEAUT32(6E123749,?), ref: 6E12C21B
VariantClear.OLEAUT32(?), ref: 6E12C22F
SafeArrayDestroy.OLEAUT32(00000000), ref: 6E12C23E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafeVariant$Clear$CopyCreateDestroyElementVector
String ID:
API String ID: 3979206172-0
Opcode ID: 32f9c1497acba4b48abad3d8ea283e006b58f5d734872c1ecbbbfbfe4073fdc9
Instruction ID: 7f1be54cd9029739541db88c57249d0959eb51b25610f59fb426dc2147307a0d
Opcode Fuzzy Hash: 32f9c1497acba4b48abad3d8ea283e006b58f5d734872c1ecbbbfbfe4073fdc9
Instruction Fuzzy Hash: F0313B75A04609AFDB00DFE8C894B9FBBB8EF9A700F108529E915D7350EA35E941DB60

Function 6E117370 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,6E1811FD,000000FF,?,6E118B80,00000000,?,00000000,?,6E118C13,?,?), ref: 6E117415
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000,6E1811FD,000000FF,?,6E118B80,00000000,?,00000000,?,6E118C13,?,?), ref: 6E11741B
std::exception::exception.LIBCMT ref: 6E11743D
__CxxThrowException@8.LIBCMT ref: 6E117452
std::exception::exception.LIBCMT ref: 6E117461
__CxxThrowException@8.LIBCMT ref: 6E117476

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$CriticalInitializeSection$_malloc
String ID:
API String ID: 189561132-0
Opcode ID: 0334e9e288282740922530b98912fca2966c769f2999ded52ef0ca229fc7f074
Instruction ID: a62e1ff34bfb25f17a65ef7749638390fb37080876617e17ab6269d66342c60c
Opcode Fuzzy Hash: 0334e9e288282740922530b98912fca2966c769f2999ded52ef0ca229fc7f074
Instruction Fuzzy Hash: 9C3177B2904A489FC750CFA9C880A9BFBF8FF59310B44895EE85697B40E730E544DBA1

Function 6E128E8E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: a5e55b7d3e8422c7111596a877a9bb2a045764b9ff92da8ed8641a59a023164e
Instruction ID: 38ba6ced7d3a54af0a9923a2d626ef52206a22520b7a40cc54758482ab0c2e04
Opcode Fuzzy Hash: a5e55b7d3e8422c7111596a877a9bb2a045764b9ff92da8ed8641a59a023164e
Instruction Fuzzy Hash: 1D313A70E006189FCB50DFA8CC94B9EB7B9AF99200F20869AE419E7255DB71EDC1DF50

Function 6E128F07 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 6a51ed9379e67d3de901809ee5ecb4eda26130a33eebe48e32bbb5dea7cb8f5c
Instruction ID: 0472258644d1152e67f418cd6e8168acad5d9873864e859d7b4a06b39e1ce25e
Opcode Fuzzy Hash: 6a51ed9379e67d3de901809ee5ecb4eda26130a33eebe48e32bbb5dea7cb8f5c
Instruction Fuzzy Hash: 80315A70E006189FCB10CBA8CC90B9EB7BAAF99300F2085AAE419E7245C771EDC1DF50

Function 6E128C6E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 072d6e20a41f73a9333307eaf050ef1b0e219e17f736bc2dd4340cc894776344
Instruction ID: 8d5de64a4e05d764392be491ff9c90bf231ce0c80d19fa72d8273694ebaf662d
Opcode Fuzzy Hash: 072d6e20a41f73a9333307eaf050ef1b0e219e17f736bc2dd4340cc894776344
Instruction Fuzzy Hash: 80315C70E006189FDB50DBA8CC90B9EB7BDAF99200F24859AE419E7245C771EDC1DF50

Function 6E128D72 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: fca08f89501372161ac239a06800a3c1e13ffe0ddee686fd2617fa9761e57ee7
Instruction ID: 1b9d379e51b975c2b09b2889d5ebc903e197c3ed3d6070819729c9718dc3ba0b
Opcode Fuzzy Hash: fca08f89501372161ac239a06800a3c1e13ffe0ddee686fd2617fa9761e57ee7
Instruction Fuzzy Hash: 66313C70E006189FCB50CFA8CC94B9EB7B9AF99200F20869AE419E7255D771EDC1DF50

Function 6E128B64 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: bc17a72e3ee3fd46765208137caf8765d599724cf7902454a19af4a643917bf9
Instruction ID: a707689aad4ed5b372fd564019df2f9c91fe2adf7537e92f45a146956751f0b1
Opcode Fuzzy Hash: bc17a72e3ee3fd46765208137caf8765d599724cf7902454a19af4a643917bf9
Instruction Fuzzy Hash: D3316A70E006189FCB50CBA8CC90B9EB7BEAF99200F20859AE419E7241CB71EDC1DF50

Function 6E12884F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: ae1e49702d57e2c58a8a18c2030d8026d2ead57c17554b0d0101def587121dd5
Instruction ID: 759cbce9356a2a5833efee58d916cfe526be745356fcfa6dd6b8c07beb9ba7ca
Opcode Fuzzy Hash: ae1e49702d57e2c58a8a18c2030d8026d2ead57c17554b0d0101def587121dd5
Instruction Fuzzy Hash: 1C313A70E006189FDB50CBA9CC90B9EB7BAAF99200F20859AE419E7245D771EDC1DF50

Function 6E120561 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3740cd0e5aa28189721df79c3d0480436b7469dd97eeb2913f0896c582267e59
Instruction ID: ae5c1410354a20284f75f5efea05ea88990a944ce98744cc47564881464ad0b4
Opcode Fuzzy Hash: 3740cd0e5aa28189721df79c3d0480436b7469dd97eeb2913f0896c582267e59
Instruction Fuzzy Hash: 2F3149B0E106189FCB50CBA9CD90B9EB7B9AF99200F20869AE418E7251DB71D9C0DF50

Function 6E1202C2 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: fca08f89501372161ac239a06800a3c1e13ffe0ddee686fd2617fa9761e57ee7
Instruction ID: 2f62cb213756ec852d490470a0bd994f80933949fde47ce56e20d0118934e972
Opcode Fuzzy Hash: fca08f89501372161ac239a06800a3c1e13ffe0ddee686fd2617fa9761e57ee7
Instruction Fuzzy Hash: 04314970E106189FCB10CFA9CC90B9DB7B9AF99200F6086AAE419E7245DB71EDC1DF50

Function 6E1203DE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: a5e55b7d3e8422c7111596a877a9bb2a045764b9ff92da8ed8641a59a023164e
Instruction ID: cee4992302484de128083166364388db6ec3546722d027fc46ec1e9e5c376be5
Opcode Fuzzy Hash: a5e55b7d3e8422c7111596a877a9bb2a045764b9ff92da8ed8641a59a023164e
Instruction Fuzzy Hash: 22315A70E106189FCB10CFA9CC90B9DB7B9AF99200F6086AAE418E7255DB71EDC0DF50

Function 6E1200B4 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: bc17a72e3ee3fd46765208137caf8765d599724cf7902454a19af4a643917bf9
Instruction ID: efeff4b9d37cefb7f0a42c688ae06bc4b09f1e20477f687bfde32ced071a4c31
Opcode Fuzzy Hash: bc17a72e3ee3fd46765208137caf8765d599724cf7902454a19af4a643917bf9
Instruction Fuzzy Hash: 05312970E106189FCB50CBA9CC90B9DB7BAAF99200F20869AE418E7251DB75DDC1DF50

Function 6E1201BE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 072d6e20a41f73a9333307eaf050ef1b0e219e17f736bc2dd4340cc894776344
Instruction ID: dd8873ef4567cb21a356f9cc0762b409747830a3fcb543882171262cd894ab8e
Opcode Fuzzy Hash: 072d6e20a41f73a9333307eaf050ef1b0e219e17f736bc2dd4340cc894776344
Instruction Fuzzy Hash: F3315C70E106189FDB50DFA9CC90B9DB7BAAF99200F2085AAE418E7241DB71DDC1DF50

Function 6E11FD9F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: ae1e49702d57e2c58a8a18c2030d8026d2ead57c17554b0d0101def587121dd5
Instruction ID: 1c047699e232752dc814b14474ea4918d2496e82c3a5d43554649c04ec8abed6
Opcode Fuzzy Hash: ae1e49702d57e2c58a8a18c2030d8026d2ead57c17554b0d0101def587121dd5
Instruction Fuzzy Hash: 13312970E106189FCB50CFA9CD80B9DB7B9AF99200F20859AE418EB241CB71E9C1DF50

Function 6E129011 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3740cd0e5aa28189721df79c3d0480436b7469dd97eeb2913f0896c582267e59
Instruction ID: 84b0079a34aabb3708cc10596d4daab57f8a9a6b6e31c6870423cb2a07eff837
Opcode Fuzzy Hash: 3740cd0e5aa28189721df79c3d0480436b7469dd97eeb2913f0896c582267e59
Instruction Fuzzy Hash: 71314C70E006189FCB50DBA8CD90B9EB7BDAF99200F20859AE419E7245D771EDC1DF50

Function 6E17249C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000100,?,?,?,?,?,6E1725B1,?,00000000,?), ref: 6E1724E6
_malloc.LIBCMT ref: 6E17251B
_memset.LIBCMT ref: 6E17253B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000,00000001,00000000), ref: 6E172550
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6E17255E
__freea.LIBCMT ref: 6E172568

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: 3f6edb4e1e04e72f735c19407d2498a2fd0beaed38b4a2fd43db250df1b5be27
Instruction ID: f2d5d04e8a0da2ae82bb2eef4f68ccab7fd12280255f544393ad2d8f443a0078
Opcode Fuzzy Hash: 3f6edb4e1e04e72f735c19407d2498a2fd0beaed38b4a2fd43db250df1b5be27
Instruction Fuzzy Hash: 7B3149F161020AAFEF11CFA8DC909EF7BADEB09758F214425F91597250E730DDA1EA60

Function 6E128A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E1269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E126A08
Part of subcall function 6E1269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E126A15
Part of subcall function 6E1269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E126A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 43048a4b5fe5f6f145d75443d9c0b1f94444dff260167a4f5ea3b668a25808dd
Instruction ID: 7c352c29b09d0bee348be4dc4029f122caed7ac1cbe0601cdb392efb784a0f4c
Opcode Fuzzy Hash: 43048a4b5fe5f6f145d75443d9c0b1f94444dff260167a4f5ea3b668a25808dd
Instruction Fuzzy Hash: 7F314F70E006189FCB50CBA8CC90B9EB7BAAF95300F20469AE419E7241C775EDC1DF50

Function 6E1287EE Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E1269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E126A08
Part of subcall function 6E1269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E126A15
Part of subcall function 6E1269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E126A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12AEBF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 0975c4704db7d33784f8229dfa0a1c8ec76cccf13a3ce8d33c794a92c37e0daa
Instruction ID: b2b78833ab7f57703b08dfb33b598a5177bea6ec6afbf21594ffff36f7e9acb3
Opcode Fuzzy Hash: 0975c4704db7d33784f8229dfa0a1c8ec76cccf13a3ce8d33c794a92c37e0daa
Instruction Fuzzy Hash: 0A312A70E006189FCB10DBA8CC90B9EB7BAAF95200F20499AE419E7245DB75EDC1DF50

Function 6E11FF89 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E1269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E126A08
Part of subcall function 6E1269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E126A15
Part of subcall function 6E1269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E126A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 43048a4b5fe5f6f145d75443d9c0b1f94444dff260167a4f5ea3b668a25808dd
Instruction ID: f64ccae31748fd6c13e0f957de83ff381ca1a490b48965a5a57f207173005765
Opcode Fuzzy Hash: 43048a4b5fe5f6f145d75443d9c0b1f94444dff260167a4f5ea3b668a25808dd
Instruction Fuzzy Hash: 3F313C70E106189FCB50CBA9CC90B9DB7BAAF99300F60869AE419E7241CB75EDC0DF50

Function 6E11FD3E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6E1269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6E126A08
Part of subcall function 6E1269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E126A15
Part of subcall function 6E1269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6E126A41

SafeArrayDestroy.OLEAUT32(?), ref: 6E1223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6E1223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6E12240F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 0975c4704db7d33784f8229dfa0a1c8ec76cccf13a3ce8d33c794a92c37e0daa
Instruction ID: 54ca4726de5cdcff9eef7f26a4d13253629992aac57804610b22e8121af18f22
Opcode Fuzzy Hash: 0975c4704db7d33784f8229dfa0a1c8ec76cccf13a3ce8d33c794a92c37e0daa
Instruction Fuzzy Hash: 87314970E106189FCB10CBA9CC80B9EB7BAAF99300F60859AE418E7241CB75DDC0DF50

Function 6E1606A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 6E104760: __CxxThrowException@8.LIBCMT ref: 6E1047F9

_memmove.LIBCMT ref: 6E160907
_memmove.LIBCMT ref: 6E160936
_memmove.LIBCMT ref: 6E160959
__CxxThrowException@8.LIBCMT ref: 6E160A25

Strings

PSSR_MEM: message recovery disabled, xrefs: 6E1609E3

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID: PSSR_MEM: message recovery disabled
API String ID: 2655171816-3051149714
Opcode ID: 4153c54af4dec681964635c956cee70bd0b83730975697c6d70d51c47f73936b
Instruction ID: 19b2528777c6bf59a590f63ef0d1cd9f70338d1c71adb169676975d416ea6ac6
Opcode Fuzzy Hash: 4153c54af4dec681964635c956cee70bd0b83730975697c6d70d51c47f73936b
Instruction Fuzzy Hash: B5C17A746083418FD754CF68C890B6BB7E5BFD9304F148A5CE5898B385E730E945CB92

Function 6E167FE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E1680EA

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

Max, xrefs: 6E1683E3
invalid bit length, xrefs: 6E168044
RandomNumberType, xrefs: 6E1683A9
Min, xrefs: 6E1683C5

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: Max$Min$RandomNumberType$invalid bit length
API String ID: 3718517217-2498579642
Opcode ID: 9c0b3ee94c74e2cb7b2a2a0c6743d756a340986ad533ac82fa24127aa8953fbd
Instruction ID: e065037926aa6bd065a7cf9007686234c5d57512343654295f036b113e25d41a
Opcode Fuzzy Hash: 9c0b3ee94c74e2cb7b2a2a0c6743d756a340986ad533ac82fa24127aa8953fbd
Instruction Fuzzy Hash: 6BC190705087809FE324CBA8D850B8FB7E9AFDA318F544E1CE69983391DB749984D763

Function 6E16BE8E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6E16BEB6

Part of subcall function 6E16AB70: __getptd.LIBCMT ref: 6E16AB7E
Part of subcall function 6E16AB70: __getptd.LIBCMT ref: 6E16AB8C

__getptd.LIBCMT ref: 6E16BEC0

Part of subcall function 6E16EAE6: __getptd_noexit.LIBCMT ref: 6E16EAE9
Part of subcall function 6E16EAE6: __amsg_exit.LIBCMT ref: 6E16EAF6

__getptd.LIBCMT ref: 6E16BECE
__getptd.LIBCMT ref: 6E16BEDC
__getptd.LIBCMT ref: 6E16BEE7
_CallCatchBlock2.LIBCMT ref: 6E16BF0D

Part of subcall function 6E16AC15: __CallSettingFrame@12.LIBCMT ref: 6E16AC61

Part of subcall function 6E16BFB4: __getptd.LIBCMT ref: 6E16BFC3
Part of subcall function 6E16BFB4: __getptd.LIBCMT ref: 6E16BFD1

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: bbb0b99fc0f1bd0251636b9a9026c746798c8545c032047e18d5cefa1f53bc94
Instruction ID: 236b081934c48fffcad9835e461eee1c28bd05aa67dc1154652812561d68e6be
Opcode Fuzzy Hash: bbb0b99fc0f1bd0251636b9a9026c746798c8545c032047e18d5cefa1f53bc94
Instruction Fuzzy Hash: 3D11C9B1C002099FDB10DFE4D944AEEBBB4FF04318F108969F914A7250EB389AA5AF50

Function 06700F14 Relevance: 9.0, Strings: 7, Instructions: 201COMMON

Download Yara Rule

Strings

p<]q, xrefs: 06701177
Guq, xrefs: 06701243
HERE, xrefs: 06701086
HERE, xrefs: 06700F6F
p<]q, xrefs: 0670112C
LOOK, xrefs: 06701081
LOOK, xrefs: 06700F6A

Memory Dump Source

Source File: 00000000.00000002.2120698527.0000000006700000.00000040.00000800.00020000.00000000.sdmp, Offset: 06700000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6700000_file.jbxd

Similarity

API ID:
String ID: HERE$HERE$LOOK$LOOK$p<]q$p<]q$Guq
API String ID: 0-1107190866
Opcode ID: afabfe7020b93db150ab9ab1a6bb5bfe50e7e5665075ba2304e43dc8be0b29da
Instruction ID: 6454c48b6de02dff1b014dd96b67625fe2e7f1f9030e73cf9aa00af06e8bfab8
Opcode Fuzzy Hash: afabfe7020b93db150ab9ab1a6bb5bfe50e7e5665075ba2304e43dc8be0b29da
Instruction Fuzzy Hash: 57A18274E00229CFDBA8DF69C994BE9B7F1AB48310F5481E9D54DAB261DB309E81CF50

Function 6E1370E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E137267

Strings

exceeds the maximum of , xrefs: 6E137309
is less than the minimum of , xrefs: 6E1371D0
: IV length , xrefs: 6E13719E, 6E1372D7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw
String ID: exceeds the maximum of $ is less than the minimum of $: IV length
API String ID: 2005118841-1273958906
Opcode ID: bb76f7bef817218ad191be80169976c21a94b7e43aebe9def534476fc9b78535
Instruction ID: 9584865a362897dcf57eaf995d01175f85fce23e1b5dae20a1039ff8cc54a724
Opcode Fuzzy Hash: bb76f7bef817218ad191be80169976c21a94b7e43aebe9def534476fc9b78535
Instruction Fuzzy Hash: B46173B11083809FD331DBA8C884FDFB7ECAF99344F104A1DE19D87241DB7599859BA2

Function 6E15AE90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E15AF27
_strncmp.LIBCMT ref: 6E15AFA6

Strings

ThisPointer:, xrefs: 6E15AF4B, 6E15AFA0
ValueNames, xrefs: 6E15AEB7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 9e8502ade4ab57414f930e127c6aa091cb8570310788a2190259ca829355c889
Instruction ID: 7ed00c31d6b69dc9f0a404c5825b239643186e5a8327cb5487f0fbb0e7d2f3dc
Opcode Fuzzy Hash: 9e8502ade4ab57414f930e127c6aa091cb8570310788a2190259ca829355c889
Instruction Fuzzy Hash: 1F51E8B12083415FC314CFE4C890E6BB7FAAF95348F244A1DF5B68B355C722E899A761

Function 6E13A360 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E13A3F7
_strncmp.LIBCMT ref: 6E13A476

Strings

ThisPointer:, xrefs: 6E13A41B, 6E13A470
ValueNames, xrefs: 6E13A387

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 9299f947d26596e48285d97049b3334768c4a6a6ec6cc2ab33a459ebb3aacb15
Instruction ID: 52b2de1495335de0a6a2092338c35baa857fcd2879cefb4ca3e73208159da5eb
Opcode Fuzzy Hash: 9299f947d26596e48285d97049b3334768c4a6a6ec6cc2ab33a459ebb3aacb15
Instruction Fuzzy Hash: 0C5107712083505BC710CFE4C894A67FBEEAF96308F244A5CE5D68B381DB26E989E751

Function 6E15B9B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E15BA47
_strncmp.LIBCMT ref: 6E15BAC6

Strings

ThisPointer:, xrefs: 6E15BA6B, 6E15BAC0
ValueNames, xrefs: 6E15B9D7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 5803589931e6634e41f9ca40b8b667b3a83c4697c10b6421148a5fae0a39f5df
Instruction ID: 04c7a04844fdcc3625274bd6f2c936d228a8f2713caed299424f555e8b89effb
Opcode Fuzzy Hash: 5803589931e6634e41f9ca40b8b667b3a83c4697c10b6421148a5fae0a39f5df
Instruction Fuzzy Hash: BC51F5B12083445BC310CFE9C890E67B7EAAF95218F144A1CF4F68B349D762E899E751

Function 6E141B70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E141C1A

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

__CxxThrowException@8.LIBCMT ref: 6E141CDE
__CxxThrowException@8.LIBCMT ref: 6E141D3E

Strings

TF_SignerBase: the recoverable message part is too long for the given key and algorithm, xrefs: 6E141CF0
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short, xrefs: 6E141C67

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: TF_SignerBase: the recoverable message part is too long for the given key and algorithm$TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
API String ID: 3476068407-3371871069
Opcode ID: 9b585f80e84f8cad52a155998922513f32ba1001bdefa3dde0c7f82325e36a2f
Instruction ID: 0c5627ffb9b7f386488f2e6708506098ec6711ea24ca8be22196f3ca58deb4a5
Opcode Fuzzy Hash: 9b585f80e84f8cad52a155998922513f32ba1001bdefa3dde0c7f82325e36a2f
Instruction Fuzzy Hash: D1515C752087409FD364DFA8C880F9FB7E9BFC8314F108A1DE58987390DB74A9459BA2

Function 6E104010 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

Part of subcall function 6E169125: std::exception::exception.LIBCMT ref: 6E16913A
Part of subcall function 6E169125: __CxxThrowException@8.LIBCMT ref: 6E16914F
Part of subcall function 6E169125: std::exception::exception.LIBCMT ref: 6E169160

std::_Xinvalid_argument.LIBCPMT ref: 6E104067

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E1040C8

Strings

invalid string position, xrefs: 6E104025
string too long, xrefs: 6E104062

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: efa7371fcd0bc58f8650ffb5ead79bd915968b2a9d8f3c03b6c021ed0677b429
Instruction ID: 8fbf14fb83b155a98dfdbfcbe374ceeec4cd297f5bcb953388b4ae9c25c4b040
Opcode Fuzzy Hash: efa7371fcd0bc58f8650ffb5ead79bd915968b2a9d8f3c03b6c021ed0677b429
Instruction Fuzzy Hash: 1A31C8333046149BD320CEDCE8D0A9EF7A9DBB1765F20092FF151DB244DB629D8297A1

Function 6E16C23B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6E16C24E

Part of subcall function 6E16C1A9: ___BuildCatchObjectHelper.LIBCMT ref: 6E16C1DF

_UnwindNestedFrames.LIBCMT ref: 6E16C265
___FrameUnwindToState.LIBCMT ref: 6E16C273

Strings

csm, xrefs: 6E16C23D
csm, xrefs: 6E16C24A, 6E16C25F, 6E16C272, 6E16C290, 6E16C2A0

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction ID: fc8876f059917dc9ab5a9f3ff09ea7a8d2bb23903fa0777373b7e3d7b1801691
Opcode Fuzzy Hash: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction Fuzzy Hash: 8501EF7140111ABBDF129FD1CC45EEA7F6AEF58358F108424BD2929120DB3699F2EBA4

Function 6E142300 Relevance: 7.8, APIs: 5, Instructions: 257COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E1423F3
_memmove.LIBCMT ref: 6E142460

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 98363f6b8327428a9bdbb61e9fc208b77b1c9cacb757156ca85a948106e101ab
Instruction ID: 46e8d465d07a5d46736b9864039c2f96d08eb47e486711da9dc551577432e4db
Opcode Fuzzy Hash: 98363f6b8327428a9bdbb61e9fc208b77b1c9cacb757156ca85a948106e101ab
Instruction Fuzzy Hash: E591AFB1208706CFD714CF98C890A2BB7E9FF98614F144A2DE499C3340E734E985DBA2

Function 6E123C10 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

SafeArrayGetElement.OLEAUT32(?,?,4F740BFF), ref: 6E123C49
VariantInit.OLEAUT32(?), ref: 6E123C81
VariantClear.OLEAUT32(?), ref: 6E123D26
VariantClear.OLEAUT32(?), ref: 6E123D30
VariantClear.OLEAUT32(?), ref: 6E123D89

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$ArrayElementInitSafe
String ID:
API String ID: 4110538090-0
Opcode ID: ca10b43aebd66d5b9a92220027cb09bf8a47b0776abdb27747c9ab3a3133ae15
Instruction ID: 9d60f77ed02098cb8b12b98c303b8374f22271bedc69b41689f2b00712da54c3
Opcode Fuzzy Hash: ca10b43aebd66d5b9a92220027cb09bf8a47b0776abdb27747c9ab3a3133ae15
Instruction Fuzzy Hash: 61616F72A0024A9FCB00DFD8CC849DEB7B9FF49310F648569E515AB350D731AD86DB50

Function 6E131D50 Relevance: 7.6, APIs: 5, Instructions: 144timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(4F740BFF), ref: 6E131D91
timeGetTime.WINMM(4F740BFF), ref: 6E131D9F
timeGetTime.WINMM ref: 6E131DBB
timeGetTime.WINMM ref: 6E131DC9
Sleep.KERNEL32(00000032), ref: 6E131DDC

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: 5de4775758c03e4f6d6bfab476e44a84b28f3fc70ac5b8479d2ec243de8a090a
Instruction ID: b0a081f721bef0ab5f518059ee3e946c3ade1afa7eee7d6200c6ea5cda53feff
Opcode Fuzzy Hash: 5de4775758c03e4f6d6bfab476e44a84b28f3fc70ac5b8479d2ec243de8a090a
Instruction Fuzzy Hash: 7051D2B1A042549FDB01CFE8C884BDE7BB8BB16340F24847ED518DB340D7719988AB91

Function 6E116D40 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

_rand.LIBCMT ref: 6E116DEA

Part of subcall function 6E169E0C: __getptd.LIBCMT ref: 6E169E0C

std::exception::exception.LIBCMT ref: 6E116E17
__CxxThrowException@8.LIBCMT ref: 6E116E2C
std::exception::exception.LIBCMT ref: 6E116E3B
__CxxThrowException@8.LIBCMT ref: 6E116E50

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$__getptd_malloc_rand
String ID:
API String ID: 2791304714-0
Opcode ID: 92bbc997b70e4353d447ce3ad6bb30385abc0e4fa4a61a9c7b640db45d35414d
Instruction ID: 00de5c7ee5c2b3b298b9d46f28144cb2ccee75b2713efe927b8e88ca21f317f4
Opcode Fuzzy Hash: 92bbc997b70e4353d447ce3ad6bb30385abc0e4fa4a61a9c7b640db45d35414d
Instruction Fuzzy Hash: 823137B19047089FC760CFA8C880A9AFBF4FB08314F44896ED85A97B41E771E644CF60

Function 6E117750 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6E117761
LeaveCriticalSection.KERNEL32(00000000,?), ref: 6E117782
EnterCriticalSection.KERNEL32(00000018), ref: 6E117796
LeaveCriticalSection.KERNEL32(00000018), ref: 6E1177CE
QueueUserWorkItem.KERNEL32(6E131D50,00000000,00000010), ref: 6E11780C

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: 0e7fae79b5aeae6749ab5872e55b03e3322de529842623c5952f3b2142a6889e
Instruction ID: bedd17b0ab6474ff5e45b478f770cca036ffc78de4799d08a163f678ff080fc9
Opcode Fuzzy Hash: 0e7fae79b5aeae6749ab5872e55b03e3322de529842623c5952f3b2142a6889e
Instruction Fuzzy Hash: 4C219171545709AFC740CFA4D858ADBBBF8FB56300F10886AE45687680DB30E989DBA1

Function 6E105AAC Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E105ACB

Part of subcall function 6E169533: std::exception::_Copy_str.LIBCMT ref: 6E16954E

__CxxThrowException@8.LIBCMT ref: 6E105ABC

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

__CxxThrowException@8.LIBCMT ref: 6E105AE0

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E105B18
__CxxThrowException@8.LIBCMT ref: 6E105B2D

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 921928366-0
Opcode ID: 2432bc70290c58dc16fe431fe0de8be94d5d8e908334c370b051539ce6f88bd1
Instruction ID: e07b00b9ba7b13caf8e5d21b10709d7bd75bafd8582a698524901b9741685051
Opcode Fuzzy Hash: 2432bc70290c58dc16fe431fe0de8be94d5d8e908334c370b051539ce6f88bd1
Instruction Fuzzy Hash: C20140B28102086FDB04DFE4E850DDF7BBCAF14344F408559E909A7200EB30E694EBA5

Function 6E16F03B Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E16F047

Part of subcall function 6E16EAE6: __getptd_noexit.LIBCMT ref: 6E16EAE9
Part of subcall function 6E16EAE6: __amsg_exit.LIBCMT ref: 6E16EAF6

__amsg_exit.LIBCMT ref: 6E16F067
__lock.LIBCMT ref: 6E16F077
InterlockedDecrement.KERNEL32(?), ref: 6E16F094
InterlockedIncrement.KERNEL32(06351668), ref: 6E16F0BF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 78fcf45883d3114a3cb9a8f0746ce4ca4defd541fba639594b14018c3571d865
Instruction ID: e7db689694f496d0d4da47ead0bd29931ed5ebaeea6fdee018cfa7d1272e3143
Opcode Fuzzy Hash: 78fcf45883d3114a3cb9a8f0746ce4ca4defd541fba639594b14018c3571d865
Instruction Fuzzy Hash: FE01C475901A22ABDF11DFE984047AE777ABF09718F304545E830A7284CB3459E5FBD1

Function 6E16F7BC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6E16F7C8

Part of subcall function 6E16EAE6: __getptd_noexit.LIBCMT ref: 6E16EAE9
Part of subcall function 6E16EAE6: __amsg_exit.LIBCMT ref: 6E16EAF6

__getptd.LIBCMT ref: 6E16F7DF
__amsg_exit.LIBCMT ref: 6E16F7ED
__lock.LIBCMT ref: 6E16F7FD
__updatetlocinfoEx_nolock.LIBCMT ref: 6E16F811

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e4042c603e10c496027d659ee74ce92cbf8232e3858825349831a05c84f3c9ea
Instruction ID: 2cc9ae529581a52226e6df91b7cb884cc5da14cc8b046420ff378c425e03d542
Opcode Fuzzy Hash: e4042c603e10c496027d659ee74ce92cbf8232e3858825349831a05c84f3c9ea
Instruction Fuzzy Hash: 11F0F0729056108BDB20EFFC8805BCE33A47F0472CF308A09E4206B2C0CB201AE0FA92

Function 6E14E6E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6E14E76F
_memcpy_s.LIBCMT ref: 6E14E78B

Strings

, xrefs: 6E14E85A

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-3916222277
Opcode ID: 11d3e78ce3346f168802b5e6b6c69e07ff05280cb30532cc4eaef813f6c9f94e
Instruction ID: ad93559b1948063534e44397764e5389bdcc2cd615ac8b463f53c1d6550ea3f6
Opcode Fuzzy Hash: 11d3e78ce3346f168802b5e6b6c69e07ff05280cb30532cc4eaef813f6c9f94e
Instruction Fuzzy Hash: E3C168756083028FE744CF68C890A6AB7E2FF98314F144A2DE596CB354E771EA85CB42

Function 6E168B60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6E168C40
_memset.LIBCMT ref: 6E168C56
_memmove.LIBCMT ref: 6E168DA8

Strings

EncodingParameters, xrefs: 6E168CD6

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memcpy_s_memmove_memset
String ID: EncodingParameters
API String ID: 4034675494-55378216
Opcode ID: bf2b11fefa06ff25c52414b42599674588901d4a312bf25b202285396bce53a2
Instruction ID: c869a37365850daa2b81f16b84b930ca9946af8241ef3de7cb20624f62c5f287
Opcode Fuzzy Hash: bf2b11fefa06ff25c52414b42599674588901d4a312bf25b202285396bce53a2
Instruction Fuzzy Hash: E19179B46083819FD700CF68C880B5BBBE5BFDA748F14491DF99887391D671E985CBA2

Function 6E141200 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 6E15D820: _memmove.LIBCMT ref: 6E15D930

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E1413D4

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Part of subcall function 6E138D80: _malloc.LIBCMT ref: 6E138D8A
Part of subcall function 6E138D80: _malloc.LIBCMT ref: 6E138DAF

Strings

for this key, xrefs: 6E141348
: ciphertext length of , xrefs: 6E1412E4
doesn't match the required length of , xrefs: 6E141316

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _malloc$ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: doesn't match the required length of $ for this key$: ciphertext length of
API String ID: 1025790555-2559040249
Opcode ID: 4920c2e4c4e0fadd1f8bdb1a3d4cc884a854fd3f2e5429a79a1ed2768e9d4a9d
Instruction ID: 8436ae04b364e137665019ce0f2344e449f7be972d0145af8676036c33da5bcc
Opcode Fuzzy Hash: 4920c2e4c4e0fadd1f8bdb1a3d4cc884a854fd3f2e5429a79a1ed2768e9d4a9d
Instruction Fuzzy Hash: 8DA16F716083809FD324CBA9D880BDBB7E9AFD9318F14491DE19D87390DB70A949DB93

Function 6E16B47D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6E16B50D

Part of subcall function 6E171AA0: __87except.LIBCMT ref: 6E171ADB

Strings

pow, xrefs: 6E16B4E5, 6E16B502

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 4080eab810076563f614a6a7ef665c0d2a6cfc8527c8af785439be4f20c82444
Instruction ID: 79e9805e0452c2a670ed2eed294469b3c18fa95d057ea8e2e4c986f35719e9b9
Opcode Fuzzy Hash: 4080eab810076563f614a6a7ef665c0d2a6cfc8527c8af785439be4f20c82444
Instruction Fuzzy Hash: 7D518271B1C60286CF51AAD8C570B9A3BB8EB52B14F70CD59F4D54319CEB3488ECBA46

Function 6E118560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6E1188ED

Part of subcall function 6E16A116: __mbstowcs_s_l.LIBCMT ref: 6E16A12C

__cftoe.LIBCMT ref: 6E118911

Strings

zX, xrefs: 6E11865E
P, xrefs: 6E118841

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: __cftoe$__mbstowcs_s_l
String ID: zX$P
API String ID: 1494777130-2079734279
Opcode ID: d29add3d3ef49b5cdc6b9b5d5bc72dbfae176d696aa113c8a120db21576262e8
Instruction ID: ff91c9f94645f324064cce0c7fa8eac4d649520441763591169eff9d47368d36
Opcode Fuzzy Hash: d29add3d3ef49b5cdc6b9b5d5bc72dbfae176d696aa113c8a120db21576262e8
Instruction Fuzzy Hash: F391FFB11087819FC376CF54C894BEBBBE8BB88714F508A1DE19D4B290EB716645CF92

Function 6E1389D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E138ABB
__CxxThrowException@8.LIBCMT ref: 6E138B82

Strings

PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 6E138A8E
: invalid ciphertext, xrefs: 6E138B48

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw
String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long
API String ID: 2005118841-483996327
Opcode ID: 59008ae936cafe963c6e61eceaded3e9ac1f6c21a1824f4dcd233d5c146a9fc7
Instruction ID: bda30afe73eca12c5275c4dab5bb2b87209cf3eea0f2510b45bfb2855441eba8
Opcode Fuzzy Hash: 59008ae936cafe963c6e61eceaded3e9ac1f6c21a1824f4dcd233d5c146a9fc7
Instruction Fuzzy Hash: 4A513AB51047419FD324CFA4C990EABB7F8BF98704F108E1DE59A87680DB31E949DB62

Function 6E136B00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E136BA6

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E104067
Part of subcall function 6E104010: _memmove.LIBCMT ref: 6E1040C8

__CxxThrowException@8.LIBCMT ref: 6E136C56

Strings

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes, xrefs: 6E136B33
RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 6E136BE3

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes$RandomNumberGenerator: IncorporateEntropy not implemented
API String ID: 1902190269-184618050
Opcode ID: 6d81f9314fbcf69f33841a278c534e3e4515888dba03aef4a323c3a5b448769a
Instruction ID: e99b3c9635ce03d01872f26a878e7f25d14d3072d15d6f0b0ec625ab3dbd73ab
Opcode Fuzzy Hash: 6d81f9314fbcf69f33841a278c534e3e4515888dba03aef4a323c3a5b448769a
Instruction Fuzzy Hash: AF5106B510C380AFC300CFA9C880A5BBBE8BF99764F504A1DF59597390DBB4D948DB52

Function 6E104E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E104EFC
std::_Xinvalid_argument.LIBCPMT ref: 6E104F16
_memmove.LIBCMT ref: 6E104F6C

Part of subcall function 6E104D90: std::_Xinvalid_argument.LIBCPMT ref: 6E104DA9
Part of subcall function 6E104D90: std::_Xinvalid_argument.LIBCPMT ref: 6E104DCA
Part of subcall function 6E104D90: std::_Xinvalid_argument.LIBCPMT ref: 6E104DE5
Part of subcall function 6E104D90: _memmove.LIBCMT ref: 6E104E4D

Strings

string too long, xrefs: 6E104EF7, 6E104F11

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 153b1c00d51b22c48dab5e433187435f22b53db62bf48f3fd9137a9b2eeb8fa3
Instruction ID: ba144f822332cf3e1c162e9d940b683791ec8ecdb77c8b233a75d7d41c3c822b
Opcode Fuzzy Hash: 153b1c00d51b22c48dab5e433187435f22b53db62bf48f3fd9137a9b2eeb8fa3
Instruction Fuzzy Hash: 873104323102104BE324DADCA4D09AEF7EAEFF1621B20492FE1558B680CB319CC693A1

Function 6E102090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E10211F

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E104067
Part of subcall function 6E104010: _memmove.LIBCMT ref: 6E1040C8

__CxxThrowException@8.LIBCMT ref: 6E1021BF

Strings

PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 6E10215D
PK_MessageAccumulator: DigestSize() should not be called, xrefs: 6E1020BD

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: PK_MessageAccumulator: DigestSize() should not be called$PK_MessageAccumulator: TruncatedFinal() should not be called
API String ID: 1902190269-1268710280
Opcode ID: fc828761724c1c579f2eb189f72b6e1301a26e1233c899435012f2b1f4cb2e74
Instruction ID: 7bbbf2f2a9619596301c5a2fd9ae1eee1aac7eb7253e593c1adc579bd60f8bb4
Opcode Fuzzy Hash: fc828761724c1c579f2eb189f72b6e1301a26e1233c899435012f2b1f4cb2e74
Instruction Fuzzy Hash: 2E411C70C0428CAFDB04DFE9D890AEEFBB8BB19354F504659E421A7690DB745688DF50

Function 6E101D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E101DC9

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E104067
Part of subcall function 6E104010: _memmove.LIBCMT ref: 6E1040C8

__CxxThrowException@8.LIBCMT ref: 6E101E74

Strings

CryptoMaterial: this object contains invalid values, xrefs: 6E101E16
BufferedTransformation: this object is not attachable, xrefs: 6E101D67

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: BufferedTransformation: this object is not attachable$CryptoMaterial: this object contains invalid values
API String ID: 1902190269-3853263434
Opcode ID: 49f84eeab348aa8a603178a30b0d988205c474fbe7fd1f90fd3e6d54d871cb95
Instruction ID: 8bd1bf47200a56b576ba511b3e156d59e0c37594530914b83ffd8d8116a270e5
Opcode Fuzzy Hash: 49f84eeab348aa8a603178a30b0d988205c474fbe7fd1f90fd3e6d54d871cb95
Instruction Fuzzy Hash: 32411B70D04288AFDB04DFE9D890BDEFBB8FF19354F10866AE42567290DB745648DB50

Function 6E1374C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E15D820: _memmove.LIBCMT ref: 6E15D930

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E13761A

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

byte digest to , xrefs: 6E137565
HashTransformation: can't truncate a , xrefs: 6E137552
bytes, xrefs: 6E137594

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 39012651-1139078987
Opcode ID: 0eb215d1c3a6bf3ea36d2e6839499227b93b020fef1d67a9ef893fb02937451a
Instruction ID: e697a70b37bef978c63a69a63d6568780afe4c1cb5c62bc26286613fe2df5e7d
Opcode Fuzzy Hash: 0eb215d1c3a6bf3ea36d2e6839499227b93b020fef1d67a9ef893fb02937451a
Instruction Fuzzy Hash: 9C416F7110C3C0ABD330CBA4C844FDBBBE8AB99314F104E1DE29997280EB7455889BA6

Function 6E13BEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E13BF2D

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

Strings

gfff, xrefs: 6E13BF80
vector<T> too long, xrefs: 6E13BF28
gfff, xrefs: 6E13BF37

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 066d3e868106f24c57b351b1a2311c64c6863efe0f2e1b98ca9828a88a602a2c
Instruction ID: de0840872be2a86ce922bed4c20c2da5deba7ff20d96fd9b28fe5d856a14702c
Opcode Fuzzy Hash: 066d3e868106f24c57b351b1a2311c64c6863efe0f2e1b98ca9828a88a602a2c
Instruction Fuzzy Hash: 4C31B6B1A006099FC718CF9DD890EAAF7ADFB48310F14862DE9599B384E730B9448B91

Function 6E168E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(4F740BFF,4F740BFF), ref: 6E168E7F
GetLastError.KERNEL32(0000000A), ref: 6E168E8F

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E168F14

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

Timer: QueryPerformanceFrequency failed with error , xrefs: 6E168EA5

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ErrorExceptionException@8FrequencyLastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceFrequency failed with error
API String ID: 2175244869-348333943
Opcode ID: 6d5080a1d30b27e50faec8e836862dd28de05d13f3434f82ac85ae8cc719010d
Instruction ID: 144b28440e48549ba6ac74b8934a80695e91fa77bcf2a79777b5ff54b176f926
Opcode Fuzzy Hash: 6d5080a1d30b27e50faec8e836862dd28de05d13f3434f82ac85ae8cc719010d
Instruction Fuzzy Hash: 40213BB150C3809FD310CF64C844B9FBBE8BF89614F508E1DF5A997281DB3595489BA2

Function 6E168F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(4F740BFF,4F740BFF,?,00000000), ref: 6E168F7F
GetLastError.KERNEL32(0000000A,?,00000000), ref: 6E168F8F

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E169014

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

Timer: QueryPerformanceCounter failed with error , xrefs: 6E168FA5

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CounterErrorExceptionException@8LastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceCounter failed with error
API String ID: 1823523280-4075696077
Opcode ID: 7cc2577f85e7c2eeb7660378b2c4dd1e20d87c67df9e968bdd04fdde47e6a7ea
Instruction ID: e884edeb1c6ab707785be269ceb6cdd12e5439aec0399be9a83fd7b855ed1a71
Opcode Fuzzy Hash: 7cc2577f85e7c2eeb7660378b2c4dd1e20d87c67df9e968bdd04fdde47e6a7ea
Instruction Fuzzy Hash: 6F213BB1508380AFD310CF64C884B9FBBE8BF89614F508E1DF5A997281DB3595489BA2

Function 6E136480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E136518

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

__CxxThrowException@8.LIBCMT ref: 6E136558

Strings

Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 6E1364E7
Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 6E136527

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 3476068407-3345525433
Opcode ID: 43072fb649847acaec87ee1c4b613af8b0c5b0971420b82013d0da8106aa1197
Instruction ID: ecf0a8373fe0d02af09e8fe87764d731ee49ce86e0565fd8941a664e792549ff
Opcode Fuzzy Hash: 43072fb649847acaec87ee1c4b613af8b0c5b0971420b82013d0da8106aa1197
Instruction Fuzzy Hash: 4D21D1B1528290DEC720CFE4C944BDBB3ECAB45748F504E1DE58586244EF759084EA62

Function 6E13C120 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E13C14E

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

Strings

gfff, xrefs: 6E13C15A
vector<T> too long, xrefs: 6E13C149
gfff, xrefs: 6E13C129

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 63f5d69aabe5b2191b5fbfc97cd1d726430ca3c0279cf37bb70ec4e9aac03b6a
Instruction ID: e0e2a89eb20e2e695a6105c52d00e323e7f2d420cde7e915da1aa8189ad226c6
Opcode Fuzzy Hash: 63f5d69aabe5b2191b5fbfc97cd1d726430ca3c0279cf37bb70ec4e9aac03b6a
Instruction Fuzzy Hash: 7801AD73F140355F831099BFED4444EEA8BABD439572ACA3AE608DF349E571DC8262D2

Function 6E1425D0 Relevance: 6.2, APIs: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6E142677
_memmove.LIBCMT ref: 6E1426E6
_memmove.LIBCMT ref: 6E142746
__CxxThrowException@8.LIBCMT ref: 6E1427CD

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID:
API String ID: 2655171816-0
Opcode ID: 7bc808c26cbd6545135fe312abeba887e6e7a35b6a5ae3c4e431d98ab0125f58
Instruction ID: 2c69c2057dd7587ea5133c671fa6671e76bb6545d1720a52fb0a51b7a50f576b
Opcode Fuzzy Hash: 7bc808c26cbd6545135fe312abeba887e6e7a35b6a5ae3c4e431d98ab0125f58
Instruction Fuzzy Hash: C55180753047068FD704DFA9C990A2FB7E9AFD8614F10492DE995C3340EB34E985DB92

Function 6E11D4B0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E11D5E4
__CxxThrowException@8.LIBCMT ref: 6E11D5F9
std::exception::exception.LIBCMT ref: 6E11D608
__CxxThrowException@8.LIBCMT ref: 6E11D61D

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: dec577eae12388752215a1ea9ae81c42493072f11ce3e7e0a1b666dabac360d1
Instruction ID: cbdb415d7636d6e9b9d95e096536539c84590ea86604aaab9e0134bf148429d9
Opcode Fuzzy Hash: dec577eae12388752215a1ea9ae81c42493072f11ce3e7e0a1b666dabac360d1
Instruction Fuzzy Hash: 80515CB1A04649AFC744CFA8C980A9AFBF4FF08304F50866AD419D7740D771E994DFA1

Function 6E125F00 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E126035
__CxxThrowException@8.LIBCMT ref: 6E12604A
std::exception::exception.LIBCMT ref: 6E126059
__CxxThrowException@8.LIBCMT ref: 6E12606E

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 9c7d3ebedf32ff2e58277af0602028e99ad27680f0832e07f6465b3ad9e7a608
Instruction ID: f3c220231ce840709754843fe4315dae52b6092c6d16f69cd59f483416aa23e2
Opcode Fuzzy Hash: 9c7d3ebedf32ff2e58277af0602028e99ad27680f0832e07f6465b3ad9e7a608
Instruction Fuzzy Hash: 5F514EB1A0064AEFC744CFA8C980A9AFBF4FF08304F50866AD519D7B41D771E994DBA1

Function 6E11DE50 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E11DE81
VariantClear.OLEAUT32(?), ref: 6E11DF3C
VariantClear.OLEAUT32(?), ref: 6E11DF6D
VariantClear.OLEAUT32(?), ref: 6E11DF8B

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 922ccb9421ca275042794057d276e360628e43956dedda185cff2a184ab4bd64
Instruction ID: a0894635bb89e699ad7b646414739d36bd6838c5298c6ff7a39f6cb234b6b7ba
Opcode Fuzzy Hash: 922ccb9421ca275042794057d276e360628e43956dedda185cff2a184ab4bd64
Instruction Fuzzy Hash: 2141AB322092429FD700DF69C840B9BB7E8FF99721F148A6DF9449B350D731E945CB92

Function 6E125DB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E125E87
__CxxThrowException@8.LIBCMT ref: 6E125E9C
std::exception::exception.LIBCMT ref: 6E125EAB
__CxxThrowException@8.LIBCMT ref: 6E125EC0

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 22206a7353b42e7cf6d8315b0a49728bcb00a9521b719d6435ef63d33b713992
Instruction ID: e0de8b6b3ea5e0d3f20c999cf51085c3307e2a5bb6e35c1c6a7eacc2ae9117d0
Opcode Fuzzy Hash: 22206a7353b42e7cf6d8315b0a49728bcb00a9521b719d6435ef63d33b713992
Instruction Fuzzy Hash: D0414CB19007489FC724CFA8D880A9AFBF8FF18304F40896ED95A97741E771E584DBA5

Function 6E11D360 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E11D437
__CxxThrowException@8.LIBCMT ref: 6E11D44C
std::exception::exception.LIBCMT ref: 6E11D45B
__CxxThrowException@8.LIBCMT ref: 6E11D470

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: d5a0732f15bd8e1c443d677e439f075351eb8e0d13e355c10433ee40e7dfd5d3
Instruction ID: c75d8a00d9c57af759dee3b61d8b26314b1c401d756e019bb9129a4349fb425f
Opcode Fuzzy Hash: d5a0732f15bd8e1c443d677e439f075351eb8e0d13e355c10433ee40e7dfd5d3
Instruction Fuzzy Hash: 02414BB19047489FC720CFA8D880A9ABBF8FF08304F40896ED95A97B41E771E544DFA1

Function 6E162B80 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 6E136480: __CxxThrowException@8.LIBCMT ref: 6E136518
Part of subcall function 6E136480: __CxxThrowException@8.LIBCMT ref: 6E136558

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E162C9A
__CxxThrowException@8.LIBCMT ref: 6E162CB1
std::exception::exception.LIBCMT ref: 6E162CC3
__CxxThrowException@8.LIBCMT ref: 6E162CDA

Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C04
Part of subcall function 6E169BB5: std::exception::exception.LIBCMT ref: 6E169C1E
Part of subcall function 6E169BB5: __CxxThrowException@8.LIBCMT ref: 6E169C2F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID:
API String ID: 3942750879-0
Opcode ID: 029809fbafebde34c5bf6754f253bc46ac53134feba7345b114459ce5f5fb98c
Instruction ID: dd15afe75c76f22f004fd4ddbb2f1a6a8f6652e9e07fe320b1a0850a08c05a2d
Opcode Fuzzy Hash: 029809fbafebde34c5bf6754f253bc46ac53134feba7345b114459ce5f5fb98c
Instruction Fuzzy Hash: B14138B15187419FC314CF98C880A4AFBF8BF99714F508E2EE19A87650D7B0A584CB92

Function 6E12C410 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6E12C478
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6E12C488
SafeArrayGetElement.OLEAUT32(?,00000001,?), ref: 6E12C4B4
SafeArrayDestroy.OLEAUT32(?), ref: 6E12C512

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElement
String ID:
API String ID: 3987547017-0
Opcode ID: c37c6096a3f5c0b2565bb5c8480a6696a44f3c9842bf983929b5d9e734aa7bbc
Instruction ID: 1359ef99d13dccb284454994afba9f6771af7d796366226958a3a8651bbc44f3
Opcode Fuzzy Hash: c37c6096a3f5c0b2565bb5c8480a6696a44f3c9842bf983929b5d9e734aa7bbc
Instruction Fuzzy Hash: EE410075A0014AAFDB00DFD8C884DAEB7B8EB59350F10C569F919EB240D730EA85DB60

Function 6E12B580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6E1802A0), ref: 6E12B5D5
VariantInit.OLEAUT32(?), ref: 6E12B5E2
VariantClear.OLEAUT32(?), ref: 6E12B685
VariantClear.OLEAUT32(6E1802A0), ref: 6E12B68B

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 5119f644796f7c4102269f26bea578684a00c6f6e563a02f42f0b4114afafcf4
Instruction ID: 2d3ce34c0b56534b57cd80689952140a6536516adac1d5370477e15a95381076
Opcode Fuzzy Hash: 5119f644796f7c4102269f26bea578684a00c6f6e563a02f42f0b4114afafcf4
Instruction Fuzzy Hash: 72418072A006099FDB04DFA8C980F9AF7F9FF99310F2081A9E9149B354D735E941DB90

Function 6E1788C9 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6E1788FD
__isleadbyte_l.LIBCMT ref: 6E178930
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 6E178961
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 6E1789CF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: 8e830fcd92cb53bc29904f225b62e653f3c374a681b224aa2f3d0f1ba5259932
Instruction ID: c5309da100e7932e76afd03324bf193e7cf18131ee4c95bc6867f59015e72020
Opcode Fuzzy Hash: 8e830fcd92cb53bc29904f225b62e653f3c374a681b224aa2f3d0f1ba5259932
Instruction Fuzzy Hash: E031C031A14266EFDF20DFE8C8909AE3BB8BF42710F2185A9E1659B190D731DDC0EB51

Function 6E105A30 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E105ACB
__CxxThrowException@8.LIBCMT ref: 6E105AE0
std::exception::exception.LIBCMT ref: 6E105B18
__CxxThrowException@8.LIBCMT ref: 6E105B2D

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc
String ID:
API String ID: 3153320871-0
Opcode ID: 45f487f94a54a5e3b6ef7dfad5504f9f2c960eb9bafcd55a0110bbfca373a1e8
Instruction ID: c8dce288eca40141196d4efaeea6de8bb94cbd12925809fd7ee98cdfb9c1b569
Opcode Fuzzy Hash: 45f487f94a54a5e3b6ef7dfad5504f9f2c960eb9bafcd55a0110bbfca373a1e8
Instruction Fuzzy Hash: CD3171B5914608ABCB14DFD8D8409DBBBF8FF48750F10C66AE81997740EB30AA54DBE1

Function 6E118470 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

InitializeCriticalSection.KERNEL32(00000000,00000000,6E115D89,00000000,00000004,00000000,?,00000000,00000000), ref: 6E1184EA
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000), ref: 6E1184F0
std::exception::exception.LIBCMT ref: 6E11853C
__CxxThrowException@8.LIBCMT ref: 6E118551

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalInitializeSection$Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 3005353045-0
Opcode ID: 1c51c78c2940ff3a7b5015faa6af5435920b1c35a590a5892495ab2fe29b4e5e
Instruction ID: a89e305de259497b7ea199bbc4c362bd7894e6be0f26b85064cbb6400a8025eb
Opcode Fuzzy Hash: 1c51c78c2940ff3a7b5015faa6af5435920b1c35a590a5892495ab2fe29b4e5e
Instruction Fuzzy Hash: 22316DB16057049FC744CFA8C480A9AFBF8FF08310F508A6ED91687B40D770EA44DB90

Function 6E12DC40 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6E12DCC5

Part of subcall function 6E169533: std::exception::_Copy_str.LIBCMT ref: 6E16954E

__CxxThrowException@8.LIBCMT ref: 6E12DCDA

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

std::exception::exception.LIBCMT ref: 6E12DD09
__CxxThrowException@8.LIBCMT ref: 6E12DD1E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 399550787-0
Opcode ID: 6dfc46b27f51c826fb8ba2f62505b4b50256af8af98f2e7836136148760454c5
Instruction ID: adab6cad27ec1562a03d051d90bff06e58f4cc40b46d43abccbae4be77b4fbf1
Opcode Fuzzy Hash: 6dfc46b27f51c826fb8ba2f62505b4b50256af8af98f2e7836136148760454c5
Instruction Fuzzy Hash: 5B3170B59002089FD704CFD9D850A9EBBF8FF54310F40856EE91997350E770EA94EBA0

Function 6E172645 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E172653

Part of subcall function 6E169D66: __FF_MSGBANNER.LIBCMT ref: 6E169D7F
Part of subcall function 6E169D66: __NMSG_WRITE.LIBCMT ref: 6E169D86
Part of subcall function 6E169D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E169DAB

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 568ea18b20a938d14c52cdcebadcccaeebacacdc1bc15bdd04e0518fe626e679
Instruction ID: 74a14b6b00730a73352e5862f5ec6de2c8dbb3161a16401bfe3915762f7acb4d
Opcode Fuzzy Hash: 568ea18b20a938d14c52cdcebadcccaeebacacdc1bc15bdd04e0518fe626e679
Instruction Fuzzy Hash: E311B2734486156BCF326BF5A80469E37ACAB52B64B314826FC249F240DF3089D2FB94

Function 6E117240 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6E134410: _malloc.LIBCMT ref: 6E13446E

SafeArrayCreateVector.OLEAUT32(00000011,00000000,?), ref: 6E117287
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6E11729B
_memmove.LIBCMT ref: 6E1172AF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6E1172B8

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_malloc_memmove
String ID:
API String ID: 583974297-0
Opcode ID: cf9855fd682c6164cb80b8409e50b39b472dfa3fa82aa08600fd2633fc3e4a2d
Instruction ID: 55c07e9ff3c8e8b493ddcc53f3acf96b47e35b0aff95a73d667a48c05d450a7e
Opcode Fuzzy Hash: cf9855fd682c6164cb80b8409e50b39b472dfa3fa82aa08600fd2633fc3e4a2d
Instruction Fuzzy Hash: 571160B6A04118BBCB14CFE5DC80DDFBB7DDF9A654B00C26AF90497240E6709A469BE1

Function 6E125A70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6E125AB9
VariantCopy.OLEAUT32(?,6E199C90), ref: 6E125AC1
VariantClear.OLEAUT32(?), ref: 6E125AE2
__CxxThrowException@8.LIBCMT ref: 6E125AEF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Variant$ClearCopyException@8InitThrow
String ID:
API String ID: 3826472263-0
Opcode ID: 7d0a68ef2badae7c1126c88830d80b382b6fd286385eaa32ceee27e2ca2dbdd8
Instruction ID: 6a5c1388c59572401323d44f6258dbbdcd90b98c17c34eacbd9e3833b5ddfb00
Opcode Fuzzy Hash: 7d0a68ef2badae7c1126c88830d80b382b6fd286385eaa32ceee27e2ca2dbdd8
Instruction Fuzzy Hash: 7611B172904668AFCB00CF988CC49DFBB78FB46624F11813AE824A7300D7756E809BE1

Function 6E138D80 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6E138D8A

Part of subcall function 6E169D66: __FF_MSGBANNER.LIBCMT ref: 6E169D7F
Part of subcall function 6E169D66: __NMSG_WRITE.LIBCMT ref: 6E169D86
Part of subcall function 6E169D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6E169BD4,6E101290,4F740BFF), ref: 6E169DAB

Part of subcall function 6E1691F6: std::_Lockit::_Lockit.LIBCPMT ref: 6E169202

_malloc.LIBCMT ref: 6E138DAF
std::exception::exception.LIBCMT ref: 6E138DD4
__CxxThrowException@8.LIBCMT ref: 6E138DEB

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _malloc$AllocateException@8HeapLockitLockit::_Throwstd::_std::exception::exception
String ID:
API String ID: 3043633502-0
Opcode ID: 997efb8bf209c8ad95eca836863de06102ef8ca1d8e819a501ed5ca7a2bc6dce
Instruction ID: 4687a79e7dc3f2d042818d079f46026211d82f1e993342a4ed1a4f98691c33d4
Opcode Fuzzy Hash: 997efb8bf209c8ad95eca836863de06102ef8ca1d8e819a501ed5ca7a2bc6dce
Instruction Fuzzy Hash: F6F0F67240432517D201DBD59C61BDF37FC9FA1721F500C2CE95491140FB20D199A5F3

Function 6E170A60 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6E170A86

Part of subcall function 6E1708B2: __fltout2.LIBCMT ref: 6E1708DD

__cftog_l.LIBCMT ref: 6E170AAC
__cftoe_l.LIBCMT ref: 6E170ADE

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: a1bc7999c6468adcb7c6ed7e8b8329455d7a8b307b3dac4ae13bb4df77b8781d
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: C5112B3644024ABBCF229EC4DC118DE3F26BB19A54F598915FA6859060E337C9B1BB81

Function 6E168970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6E168A84
_memmove.LIBCMT ref: 6E168AA0

Strings

EncodingParameters, xrefs: 6E168A41

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _memmove_memset
String ID: EncodingParameters
API String ID: 3555123492-55378216
Opcode ID: 188670a0c6958cf67d632b145818ee1b1357cc070db9a15aa518be64a6094593
Instruction ID: 2327293bcb3536191a21d20e2e822eec3e63fb3f7a995ac128ea8ce5f0b66d17
Opcode Fuzzy Hash: 188670a0c6958cf67d632b145818ee1b1357cc070db9a15aa518be64a6094593
Instruction Fuzzy Hash: F161D0B42083419FD304CF69C880A2BFBE9AFD9754F148A1DF59987391D770E945CBA2

Function 6E10F190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6E104760: __CxxThrowException@8.LIBCMT ref: 6E1047F9

Part of subcall function 6E138D80: _malloc.LIBCMT ref: 6E138D8A
Part of subcall function 6E138D80: _malloc.LIBCMT ref: 6E138DAF

_memcpy_s.LIBCMT ref: 6E10F282
_memset.LIBCMT ref: 6E10F293

Strings

@, xrefs: 6E10F2DE

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: _malloc$Exception@8Throw_memcpy_s_memset
String ID: @
API String ID: 3081897325-2766056989
Opcode ID: 51f1b27b70db70cd2d5b35e5d6f9081114479607ab56d037fe0d60208fda6971
Instruction ID: 2634cc1df66635ef54b5d898ff2f28d10a1797c6ce707e70d165928c12335380
Opcode Fuzzy Hash: 51f1b27b70db70cd2d5b35e5d6f9081114479607ab56d037fe0d60208fda6971
Instruction Fuzzy Hash: 9F51CF70A00248DFDB10CFE4C880BDEBBB4BF15304F108598E55967381DB716A89EF91

Function 6E104100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E104175
_memmove.LIBCMT ref: 6E1041C6

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

Strings

string too long, xrefs: 6E104170

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 38e66f2a4b3a105d155b4e5414ff2eaec69b78026e125d50a0f9424fc241cbdc
Instruction ID: 27fe89e5d2fa5dc98668a7c9452d86f0dc0c2c8dc99a97631bff58618cd9eba9
Opcode Fuzzy Hash: 38e66f2a4b3a105d155b4e5414ff2eaec69b78026e125d50a0f9424fc241cbdc
Instruction Fuzzy Hash: B531C4323146155BE320CEDCACD0A5AF7EDEBB5724B20091BE591C7A80CB71ACC297A1

Function 6E13C350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E13C39B

Strings

gfff, xrefs: 6E13C3A3
gfff, xrefs: 6E13C3F7

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throw
String ID: gfff$gfff
API String ID: 2005118841-3084402119
Opcode ID: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction ID: 7b458196180a210a4b68a0a5f796e282af4ab6b2b872e6cc70d30edf77294d44
Opcode Fuzzy Hash: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction Fuzzy Hash: A231927190061DAFD714CF98D880EFEB779EB84314F14851CE8159B284E730BA59DBA1

Function 6E1018C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E10194F

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

std::exception::exception.LIBCMT ref: 6E10198E

Part of subcall function 6E1695C1: std::exception::operator=.LIBCMT ref: 6E1695DA

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E104067
Part of subcall function 6E104010: _memmove.LIBCMT ref: 6E1040C8

Strings

Clone() is not implemented yet., xrefs: 6E1018ED

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: Clone() is not implemented yet.
API String ID: 2192554526-226299721
Opcode ID: c621dcbd2628835e89f8c3c028bdf827b7656ee014326bef22176d12a4e52e20
Instruction ID: 74375bb32fdb437f393d15a67562de41d3c2a3cbe5359b23491638a87492c9ff
Opcode Fuzzy Hash: c621dcbd2628835e89f8c3c028bdf827b7656ee014326bef22176d12a4e52e20
Instruction Fuzzy Hash: D9315EB1904248AFDB14CFD9D880AEEFBB8FB19324F104A6EE421A7780DB745645DF90

Function 6E135560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E135657

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

InputBuffer, xrefs: 6E1355BF
StringStore: missing InputBuffer argument, xrefs: 6E1355E0

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: InputBuffer$StringStore: missing InputBuffer argument
API String ID: 3718517217-2380213735
Opcode ID: e1daa36b790239053c5816db2b1769fe34001b8a1c1e498bd7e97d24dd9410ab
Instruction ID: 0d574c82bfead16d7007ca910bd653176d063f7a5a99e97d18c2cdc9f7ae2ae2
Opcode Fuzzy Hash: e1daa36b790239053c5816db2b1769fe34001b8a1c1e498bd7e97d24dd9410ab
Instruction Fuzzy Hash: B94168B15087809FC320CFA9D490B9BFBE4BB99714F508A1EF5E987380DB749948DB52

Function 6E101EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E101F36

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

std::exception::exception.LIBCMT ref: 6E101F6E

Part of subcall function 6E1695C1: std::exception::operator=.LIBCMT ref: 6E1695DA

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E104067
Part of subcall function 6E104010: _memmove.LIBCMT ref: 6E1040C8

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 6E101ED4

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: CryptoMaterial: this object does not support precomputation
API String ID: 2192554526-3625584042
Opcode ID: 7e61d366c6e65c3c21fa55907203543818d83da273c8cdad112d0521d3192f30
Instruction ID: b2d26d9756324a1c74beeb0664f731b0071e2f630e9c5bd6fd0f3ff9d72e72c1
Opcode Fuzzy Hash: 7e61d366c6e65c3c21fa55907203543818d83da273c8cdad112d0521d3192f30
Instruction Fuzzy Hash: D8315EB1904248AFDB14CFD8D880AEEFBB8FB09724F10866EE521A7780DB745945DF90

Function 6E113317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6E113327

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

std::_Xinvalid_argument.LIBCPMT ref: 6E11336B

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

Strings

vector<T> too long, xrefs: 6E113366

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$ExceptionRaiseXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1735018483-3788999226
Opcode ID: 965994ac5b6bdb498dbc114244acbd8195d8c5dbfaa808b64513d2897fc9462f
Instruction ID: 43b9cfb03b4e4438d09d305951d2372670aab83c3f558b79c37cecd5873bc0f0
Opcode Fuzzy Hash: 965994ac5b6bdb498dbc114244acbd8195d8c5dbfaa808b64513d2897fc9462f
Instruction Fuzzy Hash: 7A310575A086059FCB14CFD8D894AAEB7B4FB04714F118639E92A9F380DB31BD80DB91

Function 6E125810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E12584D

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

VariantClear.OLEAUT32(00000000), ref: 6E125899

Strings

vector<T> too long, xrefs: 6E125848

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$ClearException@8ThrowVariantXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 2677079660-3788999226
Opcode ID: fb517a822fd74729b6c4357a4e3733e32789f89f38420fcbc88c37376d66554f
Instruction ID: b5428b79156950b0e05d25b7ff73efb78b613dfcae65e7b28a09f37f4b1e449e
Opcode Fuzzy Hash: fb517a822fd74729b6c4357a4e3733e32789f89f38420fcbc88c37376d66554f
Instruction Fuzzy Hash: 7E2190B2A006099FD710CFA9D8C0A6EB7F9FF44324F204A3EE455D7744EB70A9809B91

Function 6E115750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E11576B

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

std::_Xinvalid_argument.LIBCPMT ref: 6E115782

Strings

string too long, xrefs: 6E115766, 6E11577D

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 1bd470b5eb453657adcecc1571873f7506a7129d16c2477c1ec6b7018ef0a8ea
Instruction ID: f5d96078d01c7468312ad33612fe9040b3b04f0ff746996804cea47e27dab7c1
Opcode Fuzzy Hash: 1bd470b5eb453657adcecc1571873f7506a7129d16c2477c1ec6b7018ef0a8ea
Instruction Fuzzy Hash: 5D11BB333087149FD3219ADCA890AAAF3EDFBA5620B60062FE552C7640C761988497A1

Function 6E1046B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E1046C4

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E10470B

Strings

string too long, xrefs: 6E1046BF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: 16c0864041441dfbb5e05779d71194924aea5d5cbd692dece1910172242dc6e5
Instruction ID: 7371648f99b5ac2e6378adc17aad80f36dd98dfbb5334feb57a3f3f1fd57c4d5
Opcode Fuzzy Hash: 16c0864041441dfbb5e05779d71194924aea5d5cbd692dece1910172242dc6e5
Instruction Fuzzy Hash: D611E9722143155FF721DEF8A8D0A6EB7A8AF71318F200E2FE59783581DF61A4C99351

Function 6E134D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E134E00

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

ArraySink: missing OutputBuffer argument, xrefs: 6E134D91
OutputBuffer, xrefs: 6E134D77

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: ArraySink: missing OutputBuffer argument$OutputBuffer
API String ID: 3718517217-3781944848
Opcode ID: 7cd80ce413d5eb5286342481abaea5edf50a3bf8187ad8b13589c31fa4b0ddc2
Instruction ID: 2388556c6cf068401e9d2055ccdfd1dfb3d6eeab00a50b13d1af1e9fbcd7508e
Opcode Fuzzy Hash: 7cd80ce413d5eb5286342481abaea5edf50a3bf8187ad8b13589c31fa4b0ddc2
Instruction Fuzzy Hash: A23125B550C7809FC314CFA8C480A9BBBE4BB99710F408E1EF5A697350DB74D548DB92

Function 6E110150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6E104010: std::_Xinvalid_argument.LIBCPMT ref: 6E10402A

__CxxThrowException@8.LIBCMT ref: 6E110201

Part of subcall function 6E16AC75: RaiseException.KERNEL32(?,?,6E169C34,4F740BFF,?,?,?,?,6E169C34,4F740BFF,6E199C90,6E1AB974,4F740BFF), ref: 6E16ACB7

Strings

OutputStringPointer, xrefs: 6E11018C
StringSink: OutputStringPointer not specified, xrefs: 6E11019B

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3718517217-1331214609
Opcode ID: f3fcd679bc819232a4fd6ecefe652026cf99b05ae14d1ed5025d082f866ab5b8
Instruction ID: fb733e6a74362824b7b92904cafc118256d266937c3df22ddd08a17d2d92b610
Opcode Fuzzy Hash: f3fcd679bc819232a4fd6ecefe652026cf99b05ae14d1ed5025d082f866ab5b8
Instruction Fuzzy Hash: 9C214F75D04288AFCB04DFD8D890BEEFBB8FB19354F10865AE425AB381DB355684EB50

Function 6E104620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E104636

Part of subcall function 6E169125: std::exception::exception.LIBCMT ref: 6E16913A
Part of subcall function 6E169125: __CxxThrowException@8.LIBCMT ref: 6E16914F
Part of subcall function 6E169125: std::exception::exception.LIBCMT ref: 6E169160

_memmove.LIBCMT ref: 6E10466F

Strings

invalid string position, xrefs: 6E104631

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 3ae5542bdfee3979697d32bb0d1f03ea7f3e68a2cbdb245e0fb6311fbef1a8cc
Instruction ID: 5a7661ceabdaff9032c7452f47e356e2d5ceb06e046b329bd85a332a37aa3173
Opcode Fuzzy Hash: 3ae5542bdfee3979697d32bb0d1f03ea7f3e68a2cbdb245e0fb6311fbef1a8cc
Instruction Fuzzy Hash: 0C01C8313002418BD320CEDCDCE095AB3BA9BE5610B244929D1A5CB701EEB1EC8293A1

Function 6E13ACA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E13ACF8

Strings

Modulus, xrefs: 6E13AD30
PublicExponent, xrefs: 6E13AD1F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 6bd880535e60e675814e8c2e974d3747e8caa13eebbc224f71e6e18f37b4d261
Instruction ID: 1e0b5c47920c5feee5778482bade75e1a25aa8080aedd7c2a3a3fb3fc8c98a3f
Opcode Fuzzy Hash: 6bd880535e60e675814e8c2e974d3747e8caa13eebbc224f71e6e18f37b4d261
Instruction Fuzzy Hash: 9C11E3709083149FCA00DFE8C85458BFBE8BFD5354F204A1EF885AB260DB3099C8DB92

Function 6E15B7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6E15B848

Strings

Modulus, xrefs: 6E15B880
PublicExponent, xrefs: 6E15B86F

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: a2ad35cdbcb52860bba77e4ad999a75c480538f8afe5b1c659200343047b1297
Instruction ID: 18d132f7d87eea9cd83639df6c47310bbcc18495024e900239094648e5d9d063
Opcode Fuzzy Hash: a2ad35cdbcb52860bba77e4ad999a75c480538f8afe5b1c659200343047b1297
Instruction Fuzzy Hash: 6B110AB09053446EC600DFADC85498BFBE8AFD6244F100A5EF8656B355DB30D8C9DB96

Function 6E13B5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E13B605

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E13B634

Strings

vector<T> too long, xrefs: 6E13B600

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 9024ad56b65f0e0512319a01e99f90df5ff19cda87955b28a7dfdd8baecc3ff6
Instruction ID: 8c6d1176925fb7fa545351f6d9220811facc42f9b2b63ed0c139ad3228fc4d22
Opcode Fuzzy Hash: 9024ad56b65f0e0512319a01e99f90df5ff19cda87955b28a7dfdd8baecc3ff6
Instruction Fuzzy Hash: 1E01B1B26006058FD324CFE8DCA0CABB3ECEB54210724492DE9AAC3250F670F9449B60

Function 6E164230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E164241

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E164277

Strings

vector<bool> too long, xrefs: 6E16423C

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<bool> too long
API String ID: 1785806476-842332957
Opcode ID: 1d593c4fa74ec66a5f7bec8d4e332a286d75011d2aec225d5d027caa37335d28
Instruction ID: adf7a5e51067d3218e6a6ed45affa06d582b613d3c6e4a394ec00e3a6e48e183
Opcode Fuzzy Hash: 1d593c4fa74ec66a5f7bec8d4e332a286d75011d2aec225d5d027caa37335d28
Instruction Fuzzy Hash: 8101F772A001055FD704CFA9ECE08AEF3A9FB94354F71462EF52687640E730A9A9CB90

Function 6E163840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E163855

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E163880

Strings

vector<T> too long, xrefs: 6E163850

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 822ff6ad6bccadead292da38828eda38888d2c42b09ed56cef617478304f9db0
Instruction ID: 317084285d6de7fbdd86dfb57d09d15e999d75510a88e7c9da3ce61a9f15de03
Opcode Fuzzy Hash: 822ff6ad6bccadead292da38828eda38888d2c42b09ed56cef617478304f9db0
Instruction Fuzzy Hash: 920171725006099FD314DFE9D8988AFB3EDAB542107104A3DE5AAD3650EA70F8959B60

Function 6E115160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6E115173

Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E1690ED
Part of subcall function 6E1690D8: __CxxThrowException@8.LIBCMT ref: 6E169102
Part of subcall function 6E1690D8: std::exception::exception.LIBCMT ref: 6E169113

_memmove.LIBCMT ref: 6E11519E

Strings

vector<T> too long, xrefs: 6E11516E

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 9cdf6de82733bda3c1c93916aa36643daa72b53c4f14e34923457130c26de77b
Instruction ID: 153d13c7f09019e3f57da4f77ef1c2e373f5922780a8d426516a5aea242e90fb
Opcode Fuzzy Hash: 9cdf6de82733bda3c1c93916aa36643daa72b53c4f14e34923457130c26de77b
Instruction Fuzzy Hash: 38018FB16042069FD728CFE8CCA58AFB3E9EB54244724493DE85AC7740E731F880DB61

Function 6E16BFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6E16ABC3: __getptd.LIBCMT ref: 6E16ABC9
Part of subcall function 6E16ABC3: __getptd.LIBCMT ref: 6E16ABD9

__getptd.LIBCMT ref: 6E16BFC3

Part of subcall function 6E16EAE6: __getptd_noexit.LIBCMT ref: 6E16EAE9
Part of subcall function 6E16EAE6: __amsg_exit.LIBCMT ref: 6E16EAF6

__getptd.LIBCMT ref: 6E16BFD1

Strings

csm, xrefs: 6E16BFDF

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction ID: 8e6b626fffb947167e90cc1eb4376a9b4732a76e6ff7047e22c41ff3247a0db2
Opcode Fuzzy Hash: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction Fuzzy Hash: F40169388003058FDF64CFE1D450AADB3BABF28315F60892EE0519E290CB3896E0FB41

Function 6E173EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6E173ED9
DName::DName.LIBCMT ref: 6E173EE5

Strings

{flat}, xrefs: 6E173ED4

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: 69521b9200ad31379fc9ff9bb1441bdf412ab3be426749322b71a944d74e6ff9
Instruction ID: 364316c0bfb9280c3d74ad061babf5d05badf5f6d83e997fe33f9e05e8fbb99f
Opcode Fuzzy Hash: 69521b9200ad31379fc9ff9bb1441bdf412ab3be426749322b71a944d74e6ff9
Instruction Fuzzy Hash: B0F030711406499FDF20CF98C468BA83BA59B96B95F14C045E95C0F352CB31D9C3EB65

Function 6E117680 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,4F740BFF), ref: 6E1176AD
LeaveCriticalSection.KERNEL32(?,?,?,4F740BFF), ref: 6E1176FF
EnterCriticalSection.KERNEL32(4F740BFF,?,?,?,4F740BFF), ref: 6E11770D
LeaveCriticalSection.KERNEL32(4F740BFF,?,00000000,?,?,?,?,4F740BFF), ref: 6E11772A

Part of subcall function 6E169BB5: _malloc.LIBCMT ref: 6E169BCF

Part of subcall function 6E116D40: _rand.LIBCMT ref: 6E116DEA

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_malloc_rand
String ID:
API String ID: 119520971-0
Opcode ID: f809cef3fa2b00c76cdf66b54687b16e0e8b857f0d90099d067e649a82045247
Instruction ID: 5943879050d1422a114325a77f4ae8fccae5c21fe2036dced683b20916602dce
Opcode Fuzzy Hash: f809cef3fa2b00c76cdf66b54687b16e0e8b857f0d90099d067e649a82045247
Instruction Fuzzy Hash: 3E218472504609AFCB10DFA4CC44EDFB7BCFF41254F108A2AF82697640EB70AA45DBA1

Function 6E119580 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 6E1195A9
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6E1195CA
EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6E1195DA
LeaveCriticalSection.KERNEL32(00000000,?,?,?), ref: 6E1195FB

Memory Dump Source

Source File: 00000000.00000002.2120932138.000000006E101000.00000020.00000001.01000000.00000007.sdmp, Offset: 6E100000, based on PE: true

Associated: 00000000.00000002.2120899419.000000006E100000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121352580.000000006E184000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121457769.000000006E19E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121485981.000000006E1A0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121511934.000000006E1A1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121552470.000000006E1A3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121609210.000000006E1AC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2121685711.000000006E1AE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6e100000_file.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: c62fd45ffd44d16279e3b84726580f228088234db1b3fb1c4c18c53b5ecefab2
Instruction ID: 12a6d874eb17ddf7a1f1749c8127b209e47332a045a7e5e15f6e026122c0c7e8
Opcode Fuzzy Hash: c62fd45ffd44d16279e3b84726580f228088234db1b3fb1c4c18c53b5ecefab2
Instruction Fuzzy Hash: 3A116072908509AFC740CFD9D4909DFF7BCFF51210B1045AAE525A7610D770EA51DBA1

Analysis Process: MSBuild.exePID: 6052, Parent PID: 3872COMMON

Execution Graph

Execution Coverage:	20.5%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	121
Total number of Limit Nodes:	7

Executed Functions

Function 00DA62E8 Relevance: 7.3, Strings: 5, Instructions: 1009
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

TJbq, xrefs: 00DA649D
paq, xrefs: 00DA6F30
xb`q, xrefs: 00DA642A
4']q, xrefs: 00DA6E49
Te]q, xrefs: 00DA6A95

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: 4']q$TJbq$Te]q$paq$xb`q
API String ID: 0-1123639052
Opcode ID: 3af30e2d02ebbc3869bb36cfe1312e848c8a297591a7559b392106cdcea720cb
Instruction ID: ba9bf3bdaa0a827cf2acddaeb0d3f552800bbfe373270339a2ad005b9fc87891
Opcode Fuzzy Hash: 3af30e2d02ebbc3869bb36cfe1312e848c8a297591a7559b392106cdcea720cb
Instruction Fuzzy Hash: 5AB2A575E00228CFDB65CF69C984B99BBB2FF89304F1481E9D509AB265DB319E81CF50

Function 02A9A769 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 131
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A9A7F6
GetCurrentThread.KERNEL32 ref: 02A9A833
GetCurrentProcess.KERNEL32 ref: 02A9A870
GetCurrentThreadId.KERNEL32 ref: 02A9A8C9

Strings

@', xrefs: 02A9A8F5

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID: @'
API String ID: 2063062207-3607613960
Opcode ID: 588ed7fd19689efc88e354140c90d96fdd53fdbe29584badffb6cc207f10a1c0
Instruction ID: 7cf4c0931700a3947c2af13fb0f3768ee624d40f1794f6ef06d58f1bbc3427c0
Opcode Fuzzy Hash: 588ed7fd19689efc88e354140c90d96fdd53fdbe29584badffb6cc207f10a1c0
Instruction Fuzzy Hash: 695159B0900249CFDB54DFAAD948BAEBBF1EF48314F20C45AE009A7361DB349945CF65

Function 02A9A778 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 128
threadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcess.KERNEL32 ref: 02A9A7F6
GetCurrentThread.KERNEL32 ref: 02A9A833
GetCurrentProcess.KERNEL32 ref: 02A9A870
GetCurrentThreadId.KERNEL32 ref: 02A9A8C9

Strings

@', xrefs: 02A9A8F5

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: Current$ProcessThread
String ID: @'
API String ID: 2063062207-3607613960
Opcode ID: 65de6dbf71d7d76457abc1079b452aa157c01871c2d9e467df035cefa985e869
Instruction ID: b8ab8823a170a5e4bb4d78457fcb5abc34ba611e6a8b79e91e398bfe120f6feb
Opcode Fuzzy Hash: 65de6dbf71d7d76457abc1079b452aa157c01871c2d9e467df035cefa985e869
Instruction Fuzzy Hash: A45138B09003498FDB54DFAAD948B9EBBF1EF48314F20C45AD019A7361DB349945CFA5

Function 00DAF9E8 Relevance: 2.7, Strings: 2, Instructions: 191
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

(aq, xrefs: 00DAFA1C
(aq, xrefs: 00DAFAA7

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: (aq$(aq
API String ID: 0-3916115647
Opcode ID: 16472f4d84d9aed81b1ece630586a4f1c2e5e8fd9e4cd5c41766276d36485278
Instruction ID: 5bd084bfc387c40f49be138c559647b04018415c7c6cffbb6ae14b1af888d475
Opcode Fuzzy Hash: 16472f4d84d9aed81b1ece630586a4f1c2e5e8fd9e4cd5c41766276d36485278
Instruction Fuzzy Hash: F7619230E042598FCB15DFA9D8646EEBBF2AF89311F1484AAD415E7391DB709D05CBB0

Function 00DA962C Relevance: 2.6, Strings: 2, Instructions: 68
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

,, xrefs: 00DAB0C3
&, xrefs: 00DAB09D

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: &$,
API String ID: 0-11628037
Opcode ID: ba58d1c63168e29d0344edc8e2e48e966e6ec604ac5226de8f2e0e31d2fd48be
Instruction ID: eb9c75ef0c6d33e32fda781eee576a72e112fc71985aaab318d2964d71c9192a
Opcode Fuzzy Hash: ba58d1c63168e29d0344edc8e2e48e966e6ec604ac5226de8f2e0e31d2fd48be
Instruction Fuzzy Hash: 00312774A0221C8FEB60DF68C99079ABBB2FB49300F1044E9C40DA7356EB349E85CF61

Function 02A9F067 Relevance: 1.7, APIs: 1, Instructions: 183
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A9F231

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: 9c0c81c29abdfec89c2f1167c93581faa214d6e18748e39ba5912864c8827f63
Instruction ID: b18f5ddb0506492a4b57c4ecfbea6c4fdef61c7422e5b41c0907b45f2f6eb9fc
Opcode Fuzzy Hash: 9c0c81c29abdfec89c2f1167c93581faa214d6e18748e39ba5912864c8827f63
Instruction Fuzzy Hash: 5F717AB4D00218DFDF20CFA9D984BDDBBF1BB0A304F6491AAE908A7211D7749A85CF45

Function 02A9F070 Relevance: 1.7, APIs: 1, Instructions: 182
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateWindowExW.USER32(?,?,?,?,?,?,?,?,?,?,?,?), ref: 02A9F231

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: CreateWindow
String ID:
API String ID: 716092398-0
Opcode ID: a68cdaa8ce39e1f8ad89fc051b9c53f0cf1e19200e3295eec67e74a0e04ad236
Instruction ID: 517706aeac6efd092ef090e84a37dc701c0ae81b4ebd511e026921a986128ce4
Opcode Fuzzy Hash: a68cdaa8ce39e1f8ad89fc051b9c53f0cf1e19200e3295eec67e74a0e04ad236
Instruction Fuzzy Hash: F3716BB4D00218DFDF20CFA9D984BDDBBF1BB0A304F5091AAE908A7211D774A985CF55

Function 02A93024 Relevance: 1.6, APIs: 1, Instructions: 129
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

CreateActCtxA.KERNEL32(?), ref: 02A93121

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: 6720be09cc7c082b05b089f1cd4f8d05806000f975e17ac70f66128259a0a3c7
Instruction ID: c4b5f4aaeb51f0a737b79ea6c9534f90ed749ad8211de8bf96308106baea347f
Opcode Fuzzy Hash: 6720be09cc7c082b05b089f1cd4f8d05806000f975e17ac70f66128259a0a3c7
Instruction Fuzzy Hash: BF51C6B1D002198FDF21DFA9C940BDEBBF5AF49300F10809AD549AB251DA756A89CF91

Function 02A903E8 Relevance: 1.6, APIs: 1, Instructions: 126COMMON

Download Yara Rule

APIs

CreateActCtxA.KERNEL32(?), ref: 02A93121

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: Create
String ID:
API String ID: 2289755597-0
Opcode ID: af5980afc0fa4a47123c3f0e6056e9f60c8ce2e600cb172e27eb41f0d5d6fbd9
Instruction ID: 003677198305703f0c45d9957233f2fc82271b916e60822b9be5e3b537ef9088
Opcode Fuzzy Hash: af5980afc0fa4a47123c3f0e6056e9f60c8ce2e600cb172e27eb41f0d5d6fbd9
Instruction Fuzzy Hash: 4551C571D00219DFDF20DFA9C940B9EBBF5BF49300F1080AAD509AB261DB756A89CF91

Function 02A9A9B9 Relevance: 1.6, APIs: 1, Instructions: 110COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A9AA8B

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: e70a2099a616b75e8621cd0bd10a3650445f80240c903e974053a23d477c321d
Instruction ID: 140e2fbab2be271a1ab533a7d1ccf02da15c09401b1cccacd6a9eb02014c1eae
Opcode Fuzzy Hash: e70a2099a616b75e8621cd0bd10a3650445f80240c903e974053a23d477c321d
Instruction Fuzzy Hash: 4E4155B9D002589FCF00CFAAD984ADEBBF5BB19310F14906AE918AB211D335A945CF94

Function 02A9A9C0 Relevance: 1.6, APIs: 1, Instructions: 108COMMON

Download Yara Rule

APIs

DuplicateHandle.KERNELBASE(?,?,?,?,?,?,?), ref: 02A9AA8B

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: DuplicateHandle
String ID:
API String ID: 3793708945-0
Opcode ID: aabba5a4c36ff6021f1482e8036cd2a3e23b8f8cca286151a6b706fe8d6c0fe2
Instruction ID: 291373b31d081804b931f53c6c83686ab3a51ece5c8118625479e37dc5e42315
Opcode Fuzzy Hash: aabba5a4c36ff6021f1482e8036cd2a3e23b8f8cca286151a6b706fe8d6c0fe2
Instruction Fuzzy Hash: 2B4145B9D002589FCF10CFAAD984ADEBBF5BB09310F14906AE918BB311D735A945CF94

Function 02A980B8 Relevance: 1.6, APIs: 1, Instructions: 97libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 02A98952

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: f3174cabf9c027575681a45a6477b1842e87d082f46dd7a5eec2b0af5ec0aaad
Instruction ID: dd946ea40e6b448c2bacc88ae0e37903f5cdd5700d477b4c6785726c16e7e3ff
Opcode Fuzzy Hash: f3174cabf9c027575681a45a6477b1842e87d082f46dd7a5eec2b0af5ec0aaad
Instruction Fuzzy Hash: 5B4198B4D042589FCF10CFAAD884A9EFBF1BB49310F14902AE918BB310D739A945CF95

Function 02A988A3 Relevance: 1.6, APIs: 1, Instructions: 95libraryCOMMON

Download Yara Rule

APIs

LoadLibraryExW.KERNELBASE(?,?,?), ref: 02A98952

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: cf765ccab0accd30ded3012fb6253ef44f0d61376ad95b274af8a20bcb91d766
Instruction ID: 273bb5d092de18763771b65b696d6ce9615c9b1eb39a1afd085555b24ed3775f
Opcode Fuzzy Hash: cf765ccab0accd30ded3012fb6253ef44f0d61376ad95b274af8a20bcb91d766
Instruction Fuzzy Hash: 784198B4D042589FCF10CFAAD884A9EFBF1BB49310F14942AE918B7310D739A945CF55

Function 02A98593 Relevance: 1.6, APIs: 1, Instructions: 77COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 02A9862A

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: 8654c9245601ed4fd173df74a0c8ae55a05d949f4d6474cd9444bca2986fe2d1
Instruction ID: f549be677c52aa74bf1d376ee91681ceaa3c1ebe45a857fa726627927787d94a
Opcode Fuzzy Hash: 8654c9245601ed4fd173df74a0c8ae55a05d949f4d6474cd9444bca2986fe2d1
Instruction Fuzzy Hash: F231CAB4D002089FCF14CFAAD584ADEFBF5AB49314F14906AE918B7320D738A945CFA4

Function 02A98598 Relevance: 1.6, APIs: 1, Instructions: 76COMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNELBASE(?), ref: 02A9862A

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: HandleModule
String ID:
API String ID: 4139908857-0
Opcode ID: ffef4e71f6e2967465d2f12f3146515f1cb8245384c7a5f27b7c89542b2ae8cb
Instruction ID: 902d5965ce8ba76b1f95af6d724e790848ec9b2547514b5f1fd727382bf3d852
Opcode Fuzzy Hash: ffef4e71f6e2967465d2f12f3146515f1cb8245384c7a5f27b7c89542b2ae8cb
Instruction Fuzzy Hash: 2E31A8B4D002589FCF14CFAAD584ADEFBF5AB49314F14906AE918B7320D738A945CFA4

Function 02A91680 Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02A916F0

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: d7e1d32930b025e87df0b6626bafe0e9adbbe20b14b979652a800f62f37eb818
Instruction ID: 06440965d99a7175af70384e5bdd51f0b940ef69a5e99ef3a86abb7db10300ce
Opcode Fuzzy Hash: d7e1d32930b025e87df0b6626bafe0e9adbbe20b14b979652a800f62f37eb818
Instruction Fuzzy Hash: 7421BDB4D012198FCB14DFAAD584ADEFBF5AB49320F24941AD409B7240DB35A945CFA4

Function 02A9167B Relevance: 1.6, APIs: 1, Instructions: 65COMMON

Download Yara Rule

APIs

GetConsoleWindow.KERNELBASE ref: 02A916F0

Memory Dump Source

Source File: 00000002.00000002.2115928469.0000000002A90000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A90000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a90000_MSBuild.jbxd

Similarity

API ID: ConsoleWindow
String ID:
API String ID: 2863861424-0
Opcode ID: 41098da788cf9b9a102e878175f16145a0596731d95551bdc5d65207e55babe7
Instruction ID: d30b14e85ca70f6c2f410eab4346e9adb86172711fc2321a27ef180d2aa56dfe
Opcode Fuzzy Hash: 41098da788cf9b9a102e878175f16145a0596731d95551bdc5d65207e55babe7
Instruction Fuzzy Hash: 5A21BDB4D01259CFCB14CFA9D584ADEBBF5AF49320F24945AD409B7240CB35A945CFA4

Function 00DAF78B Relevance: 1.4, Strings: 1, Instructions: 120COMMON

Download Yara Rule

Strings

Te]q, xrefs: 00DAF838

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: Te]q
API String ID: 0-52440209
Opcode ID: 9307e7eecf1cc3b9f3fac2a80d3c200d2e6f537b1e0bb4a1774e43a6648658b4
Instruction ID: 326c6f363c0a1c0ae3d8c27100c4deb20af7c85e5b8e863b3620de00ea6f1b0f
Opcode Fuzzy Hash: 9307e7eecf1cc3b9f3fac2a80d3c200d2e6f537b1e0bb4a1774e43a6648658b4
Instruction Fuzzy Hash: 8E41B474E45208CFCB14DFA8D5999ADBBB5FF4A300F205569D40AAB366CB30AC46DF50

Function 00DA7B57 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

#, xrefs: 00DACB22

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: #
API String ID: 0-1885708031
Opcode ID: fa99590678a51af152ddba8a51f340c8cb86a43c387582bb9df48f1927440b75
Instruction ID: c27586bc9cf28c1db2312715d21f8161ebcbe015d3f830e0fcf9b287d31fc592
Opcode Fuzzy Hash: fa99590678a51af152ddba8a51f340c8cb86a43c387582bb9df48f1927440b75
Instruction Fuzzy Hash: 1A3129B4A04218CFCB60DF64C9907AABBB2FB4A304F1044E9C64DA7754EB359E85CF65

Function 00DA7A31 Relevance: 1.3, Strings: 1, Instructions: 58COMMON

Download Yara Rule

Strings

', xrefs: 00DAA089

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: '
API String ID: 0-1997036262
Opcode ID: 9428876f12714ae6c0ac7f67c405f75d2513544f2f142ae650f843e8ffd53ac4
Instruction ID: 5b6e09d586ac0744314c9738961c2886897d518d40561939f98431f75564d25d
Opcode Fuzzy Hash: 9428876f12714ae6c0ac7f67c405f75d2513544f2f142ae650f843e8ffd53ac4
Instruction Fuzzy Hash: 40210674E422188FEB54DF64C994B9ABBB2FB88300F1044EAD409A7356EB349E85CF50

Function 00DAE703 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

+, xrefs: 00DAE78B

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: +
API String ID: 0-2126386893
Opcode ID: 252e5c4b5a1b96e986bcd52db494711569575d61457bef7750eba82bd4e56ea6
Instruction ID: 798897db408e2d7dc5b3f2793d17f272f546f00530c8abfd6e12fcb174e7e5d3
Opcode Fuzzy Hash: 252e5c4b5a1b96e986bcd52db494711569575d61457bef7750eba82bd4e56ea6
Instruction Fuzzy Hash: E111E6749006588FDBA0DF58C994B9ABBB2EB09309F1444E5C009A7790DB759EC5CF64

Function 00DA89C0 Relevance: 1.3, Strings: 1, Instructions: 39COMMON

Download Yara Rule

Strings

(, xrefs: 00DA8A48

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: (
API String ID: 0-3887548279
Opcode ID: 445cee141610501f3e86979752cf1cbb0757de79bd52e6fcbf972f916a5f49e3
Instruction ID: 5dcb42db1514a3497c3664c6fe5da3c898a94e98cb6f520806f1de04e6298a74
Opcode Fuzzy Hash: 445cee141610501f3e86979752cf1cbb0757de79bd52e6fcbf972f916a5f49e3
Instruction Fuzzy Hash: 20110074A00218CFDB64DF68C990B9ABBB2FB89304F1045E9C00DA7350EB369E95CF61

Function 00DA818B Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

!, xrefs: 00DA8214

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: !
API String ID: 0-2657877971
Opcode ID: 4a9651c204bbe52d2e57336de6107f19eceeab61d15ac901d4a845bcec3e8c20
Instruction ID: 0f77d4561296d8cea87bdd6bbf2e5a9314f09ff1b59f723dede2443e8d8f6430
Opcode Fuzzy Hash: 4a9651c204bbe52d2e57336de6107f19eceeab61d15ac901d4a845bcec3e8c20
Instruction Fuzzy Hash: 2C01E474A022288FEB54DF64C9A079ABBB2FF88700F1085E9D409A7356DA349E85CF50

Function 00DAA761 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

, xrefs: 00DAA7EA

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 7af92938cb05a22adb41db721af5b877e51edfa4ee22031e7b8b873ac7ed5efc
Instruction ID: 0e88249c930cef1737f0d58da20286b07b099d0d40428c569a8bcdbfcbe039af
Opcode Fuzzy Hash: 7af92938cb05a22adb41db721af5b877e51edfa4ee22031e7b8b873ac7ed5efc
Instruction Fuzzy Hash: D7011670E042289FCB91DF64C95078EBBB2FB8A300F1044A9D14DA7344DB786E818F62

Function 00DAC8B9 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

%, xrefs: 00DAC942

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: %
API String ID: 0-2567322570
Opcode ID: 3c059cd169ac7c9eaa080489499dcb6ea6447aeb63bb8cc821d0f1aa1054f1f2
Instruction ID: 110eed1f4e28b9aa5a86e6852503c387f4bcf11718c070c9b6e55a263e4e5473
Opcode Fuzzy Hash: 3c059cd169ac7c9eaa080489499dcb6ea6447aeb63bb8cc821d0f1aa1054f1f2
Instruction Fuzzy Hash: 4701FB74A00A188FCB64DF64CD5079BBBB2FF49302F1045E9C44AA7355EB346E859F52

Function 00DAC94F Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

$, xrefs: 00DAC9D8

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-3993045852
Opcode ID: d28d0c64bc06a220aeabde501928979b5f745f1884648516c511b285d86d3005
Instruction ID: 58d4c9b80ccd85c1924db15badd48a4bc2405c51c73505c28e6e796b627f07ae
Opcode Fuzzy Hash: d28d0c64bc06a220aeabde501928979b5f745f1884648516c511b285d86d3005
Instruction Fuzzy Hash: 3D014FB09006198FCB60DF54CD9079ABBF2EF44305F1084EAC50A67346DB346E85CF64

Function 00DAAAF3 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

", xrefs: 00DAAB7C

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: "
API String ID: 0-123907689
Opcode ID: 64263515b4f76996e6f523001741e65d09a384bd149e20a2584db3a3b9611a8a
Instruction ID: df2b5a31ca1c0ce048ac846cd4dc5949bc8d56fe48109d629779f916d1ac7ecd
Opcode Fuzzy Hash: 64263515b4f76996e6f523001741e65d09a384bd149e20a2584db3a3b9611a8a
Instruction Fuzzy Hash: DC012470A012288FDB50EF64C99078ABBB7FB89310F1044E9C00DA3B54DE369E92CF61

Function 00DA7AC1 Relevance: 1.3, Strings: 1, Instructions: 29COMMON

Download Yara Rule

Strings

), xrefs: 00DA7B4A

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID: )
API String ID: 0-2427484129
Opcode ID: b5c370de2ae2a1fcc1ac43cd23ae3323a2921b28f365775ba1776b2b40c6ac98
Instruction ID: bd6393e4ba1b3fe7825f582a2a3e3a305e4c176e04262003dadbfb6ff3aee0aa
Opcode Fuzzy Hash: b5c370de2ae2a1fcc1ac43cd23ae3323a2921b28f365775ba1776b2b40c6ac98
Instruction Fuzzy Hash: D0012874E4021A8FCB56DF24C9507AABBB6FB48304F1044E9C519A7344EB345E81CF50

Function 00DA8221 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b4d84987012468ce27b24bbacae1d2b694b48cbd50c05291c35eaaeede4f0
Instruction ID: 4944059df6a206cbce825d536e586c5c974909a841b69f12d579958a9e3e3ea4
Opcode Fuzzy Hash: 730b4d84987012468ce27b24bbacae1d2b694b48cbd50c05291c35eaaeede4f0
Instruction Fuzzy Hash: 1E511778A012288FDB64DF24C950B9ABBB3FB89300F1045EAD44DA7355DB369E91CF60

Function 00DA86C7 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dd721d424577cb7316dec0c56c6230fdd66cbcc146ccde00eebbe10ffafb97d9
Instruction ID: 59e68bfcd75b29bc90a78e82b51145aec2797458e10f9d354e59a55b0a821d7e
Opcode Fuzzy Hash: dd721d424577cb7316dec0c56c6230fdd66cbcc146ccde00eebbe10ffafb97d9
Instruction Fuzzy Hash: 0451E574E082188FCB95DF64C95469ABBB2FB49300F1085A9D40EA7354EE38AE85DF51

Function 00DA8BBA Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f05148aa089d2adde3f8a4f38c149857f8bea7241e43f5993d6cca6d8807696
Instruction ID: c5b12b9257f02c40d731f42d6a415a341634d6158ad4cfe00f04c00c6e0313f3
Opcode Fuzzy Hash: 1f05148aa089d2adde3f8a4f38c149857f8bea7241e43f5993d6cca6d8807696
Instruction Fuzzy Hash: 4F514A74A012298FCB64DF64C964BAABBB2FB49304F1044E9D40EA3754EF349E85DF51

Function 00DA8C49 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5d440faacb73f8062135dc0394dae9983cce4f5c463cf582e9f13779b253546e
Instruction ID: 9719095b19fb7ac53ed6806eb3bee65888cc40090d4b03d21523253781415cb4
Opcode Fuzzy Hash: 5d440faacb73f8062135dc0394dae9983cce4f5c463cf582e9f13779b253546e
Instruction Fuzzy Hash: 5A51F274A002288FCB66DF24C95079ABBBAFB49705F1085E9E40DA3354EF349F859F50

Function 00DA8D67 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ac127b82819cb11894283c62e31cd5141370151ba217ebb0772a036a79515306
Instruction ID: cb6b7e8746b2c52c8ae680ee898d312662f8723e7790e488acfb7ad69867c4a7
Opcode Fuzzy Hash: ac127b82819cb11894283c62e31cd5141370151ba217ebb0772a036a79515306
Instruction Fuzzy Hash: C5512574A016288FCB65DF24CD507AABBB2FF49301F1044E9C40EA7755EB349E859F51

Function 00DA9B60 Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 208cdb4ea4af0bb5ebaa66ee67ceae27f219cb6f7871367d2d1cbaa84fa055d3
Instruction ID: 23989149a0b26414b1a0c71cfd236edeff89788c264040c1b01d1f48ac9a9316
Opcode Fuzzy Hash: 208cdb4ea4af0bb5ebaa66ee67ceae27f219cb6f7871367d2d1cbaa84fa055d3
Instruction Fuzzy Hash: 02513DB49012288FCBA4DF64C99079ABBB2FB49304F1044EAC60DA7355DF349E85DF64

Function 00DA7D0B Relevance: .1, Instructions: 115COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf00e29258b67d1d00946cd51b121cdfcfb77fe2410b7a4e2bbdd61dfb3928a3
Instruction ID: 50b75038bdd1b1ce5daf296004d0d54b691fc0ae4fa90ebd7a52f859e5d8250a
Opcode Fuzzy Hash: cf00e29258b67d1d00946cd51b121cdfcfb77fe2410b7a4e2bbdd61dfb3928a3
Instruction Fuzzy Hash: 7F510674A012288FCB65DF64C9947DABBB2FB89305F1044E9D50EA7354EB349E85CF90

Function 00DAB514 Relevance: .1, Instructions: 97COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bf54ad4836b0d9e0e8c9c45e3c652f26e4ff9757617efcfb6f903aed7f7048b
Instruction ID: 47539d035fc1e00116217b9220f7cecabcf2af53b8dfab5bc47a7863f15863dc
Opcode Fuzzy Hash: 8bf54ad4836b0d9e0e8c9c45e3c652f26e4ff9757617efcfb6f903aed7f7048b
Instruction Fuzzy Hash: 9D411574A002188FCB66DF64C95079ABBBAFB49304F1044E9D54DA7354EB749F81CF61

Function 00DAA1BB Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 168a3c79426a231189dde7f37e68e9dfe38263ebe1c58e26f044a362e7531223
Instruction ID: 13ed78e152c4f0c6281802823a1400ddbbd8a27494264cefbff2276e1d2de81b
Opcode Fuzzy Hash: 168a3c79426a231189dde7f37e68e9dfe38263ebe1c58e26f044a362e7531223
Instruction Fuzzy Hash: 1D410874A013288FDB64DF68C950B9ABBB2FB4A304F1044EAC40EA7B54DB349E85DF51

Function 00DA82B0 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84281e323870c27257fde79a4c2932e915b719b11c95ad5bc70ae391ffb18c1b
Instruction ID: 6ee383a2133f642372d5cad59bbf07e9bb9ffd18328761a562e1532cbf85bc6b
Opcode Fuzzy Hash: 84281e323870c27257fde79a4c2932e915b719b11c95ad5bc70ae391ffb18c1b
Instruction Fuzzy Hash: 1341F474A012288FCB55EF24CA98B9ABBB6FB49300F1045E9C44DA7355EF349E818F61

Function 00DAA88D Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66473e580ae52f85f9cb5e7f7a59aa17f4d34556e2898810b45197d5a20e72d0
Instruction ID: 84440fef816a7fa706053c54289f92d426f6fa5ebfa35c2ffbf06a84b27088ce
Opcode Fuzzy Hash: 66473e580ae52f85f9cb5e7f7a59aa17f4d34556e2898810b45197d5a20e72d0
Instruction Fuzzy Hash: 60410674A012288FCB54DF64C9907DABBB3FB89300F1044E9D40AA7355DE369EA5CFA4

Function 00DA91E7 Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa14dc29e9b55acaceaaaab40586cc98563e052c0095588620712b9ca8911b6f
Instruction ID: a38a91d3f2e31378036fbcebb375a990788dfd940d29103c207e615379ea71c0
Opcode Fuzzy Hash: aa14dc29e9b55acaceaaaab40586cc98563e052c0095588620712b9ca8911b6f
Instruction Fuzzy Hash: E6415A74A052298FCBA4EF24C99879ABBB2FB49300F1085E9C40DA7354EF349E85DF50

Function 00DA939B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 486b284f8b50d48adfa4d5c7927171dfbab73d6beb3cd2b78f10573df77a616d
Instruction ID: d5c9ec592b88ac2825ba2111f95549b3bb948f448ee67cc5d919a078f462742f
Opcode Fuzzy Hash: 486b284f8b50d48adfa4d5c7927171dfbab73d6beb3cd2b78f10573df77a616d
Instruction Fuzzy Hash: 3341F874E042188FCB95DF68C99069ABBF2FB49300F1044E9D50DA7355DA38AE85DF51

Function 00DA7D9B Relevance: .1, Instructions: 86COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67ddaeaebee6cda4f012dd824f8c5901489f93ac5d2fcb199c17df3321c5e5ba
Instruction ID: 9fe4a22ebebdcc38f19ad9521a5b1367c59ca0fd44c355ec9de2f8849b7e22e6
Opcode Fuzzy Hash: 67ddaeaebee6cda4f012dd824f8c5901489f93ac5d2fcb199c17df3321c5e5ba
Instruction Fuzzy Hash: 11413974A002198FCB64EF64C964B9EBBB2FB49308F1045E9D40DA3755EB349E81DF50

Function 00DA7850 Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dc53e90c5ab125fbed3dc29687e579f0fdb663fff629a0eca8310d059302cb23
Instruction ID: d06cf7926ce2dc1648215f122ef1351f13831cae6caea7130595785d61f48a35
Opcode Fuzzy Hash: dc53e90c5ab125fbed3dc29687e579f0fdb663fff629a0eca8310d059302cb23
Instruction Fuzzy Hash: C0315E34E042088FDB01DFA8D855AEEBBB1FB8A300F14856AD805A7395DA349D06CB61

Function 00D5D1D4 Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112326681.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32e49d16a2fa812ef370e634a5539c9452fe103f88aa8ace0d1be8e6746472a5
Instruction ID: 1a6a06b0ef67cb28dc30a2d65f0c14306376b2cd4c94b9dc93d3f997de275e5d
Opcode Fuzzy Hash: 32e49d16a2fa812ef370e634a5539c9452fe103f88aa8ace0d1be8e6746472a5
Instruction Fuzzy Hash: D4210071504200AFCF25DF24C9C0B26BBA6FB88315F24C56DEC494B296C33AD84ACA71

Function 00D5D01C Relevance: .1, Instructions: 72COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112326681.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b952774b8cf5a7e47abe3673f05fb42b408d0cc8e90ac9b5de98450202ab23c2
Instruction ID: 1b33152cfb3418a0d74a95dd4bffc4712c71a64fadb389f23255de6b6905a1fd
Opcode Fuzzy Hash: b952774b8cf5a7e47abe3673f05fb42b408d0cc8e90ac9b5de98450202ab23c2
Instruction Fuzzy Hash: EF21D371504204DFDF24DF28D584B16BB66EB84315F24C569DD494B296C33AD80BCA71

Function 00DA806D Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4fe01b77aca8298ecb20d11c567fb53535e2fd22785bfc45a877f5d040c35ae8
Instruction ID: 84c7e6183b4babf18f09f7aaab9251ab15f48d84069d98c6a63753db8c66061c
Opcode Fuzzy Hash: 4fe01b77aca8298ecb20d11c567fb53535e2fd22785bfc45a877f5d040c35ae8
Instruction Fuzzy Hash: 8B3138B4A002188FCB64DF28C99079ABBF2FB49304F5044E9D20DA3350DB349E85CF69

Function 00DA83CE Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2496a46fd07dae826a20162e2a32c49efdd4eb9d714417d151945cc83ae770b0
Instruction ID: fb8149a9ac89b74461db654ab12bd1c3c289391f5077e91ce887d677cc8abcd7
Opcode Fuzzy Hash: 2496a46fd07dae826a20162e2a32c49efdd4eb9d714417d151945cc83ae770b0
Instruction Fuzzy Hash: 2A310674A003188FCB64DF64C994B9ABBB2FB4A300F1045E9D40EA3B54DB359E85DF52

Function 00DA84ED Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4a02f83d9f69f6f59200682eb12c1b77266af6806b22bead5d0e598cae279dfe
Instruction ID: 49b13c6d52ff8905d8cc569e94a8a6acca429f6eb12b06119c61309f4ba8ed5a
Opcode Fuzzy Hash: 4a02f83d9f69f6f59200682eb12c1b77266af6806b22bead5d0e598cae279dfe
Instruction Fuzzy Hash: 0431E274A002188FDB55DF68C9A4BDABBB2FB49300F1084E9D50DA7354EF349E859F61

Function 00DA9868 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1e94a598154a8025e2e0ce219b74be1f53c57fd7fc3f3ee69f539259455308b2
Instruction ID: 0e24929c9f0019f6417774e9e90149db273e6b6acf68bc5093af0ccaeb540f66
Opcode Fuzzy Hash: 1e94a598154a8025e2e0ce219b74be1f53c57fd7fc3f3ee69f539259455308b2
Instruction Fuzzy Hash: F2310474A01218CFDB54DF68C990B9ABBB2FB49304F1045E9C50DA7355DB349E85CF62

Function 00D5D005 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112326681.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a979c9ceaf12ae5aac67a01472ada72a9320dd1cca6aabf1102a9fc43b6d175e
Instruction ID: c56520bd345d5d3c36f623b1cf3d9e8f37898caf0086900fb92f356188c1dd7c
Opcode Fuzzy Hash: a979c9ceaf12ae5aac67a01472ada72a9320dd1cca6aabf1102a9fc43b6d175e
Instruction Fuzzy Hash: 9C215E755093808FDB12CF24D994715BF72EB46314F28C5EADC498B6A7C33A980ACB72

Function 00DA7870 Relevance: .1, Instructions: 62COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c1d95cc49ffc25791a794a96b41b37c49382baca2a8a0485fc81ebee1d96cc2
Instruction ID: 47b20ace8e02876f08ccdff15b9ba77c4810ae43a99aa8653269b4695760286a
Opcode Fuzzy Hash: 1c1d95cc49ffc25791a794a96b41b37c49382baca2a8a0485fc81ebee1d96cc2
Instruction Fuzzy Hash: 54211D74E04208DFDB44DFA8D855AAEB7F5FB89304F108529D909A7385DB389906CFA1

Function 00DA8875 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4e541e78f20f46984ee5e071b7f183927423ce3fe64e84a113bdb7143b8a9ea4
Instruction ID: afb8cce54e76590d663a0ba5df6b48e15a7aca1c70115d9c713eed36374f4fa9
Opcode Fuzzy Hash: 4e541e78f20f46984ee5e071b7f183927423ce3fe64e84a113bdb7143b8a9ea4
Instruction Fuzzy Hash: 41212474A012288FDB65DF68C990B9ABBB2FB49300F1044EAC50DA3345DB359E85DF50

Function 00DAB633 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8252ec13551d039d8e8351e167acf321c5263f8e2f241535ac54f30972032d7c
Instruction ID: 19be19f3c3d2ec75da892fce045b3ed8c204dee55b721a62a91d946483333718
Opcode Fuzzy Hash: 8252ec13551d039d8e8351e167acf321c5263f8e2f241535ac54f30972032d7c
Instruction Fuzzy Hash: F8210674A00A28CFCB64DF64CD5079BBBB2FB49302F1088E9D44DA7355EA349E819F61

Function 00DA7C7C Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4028752583c235f43c8165eac0719bff3cff43fdaadb50f2e678d1dbaed03551
Instruction ID: 74f1cf5167178513bcfdb651bc6a669f7e151093607a21ebdfb762d08e424982
Opcode Fuzzy Hash: 4028752583c235f43c8165eac0719bff3cff43fdaadb50f2e678d1dbaed03551
Instruction Fuzzy Hash: B7213B74A042288FCB65DF64C95079ABBB2FB89308F1044EAD40DA7355EF359E86DF60

Function 00DA80FC Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace3bad0e578aae8cb6b43d8b5a16e3ce2f45072193b01d7642c5ce99e5d4ebb
Instruction ID: 7e2446dd1a71715f1c9dd8d5b3fabae9c4f36086b7f4c3a1ba9c9a46a243e193
Opcode Fuzzy Hash: ace3bad0e578aae8cb6b43d8b5a16e3ce2f45072193b01d7642c5ce99e5d4ebb
Instruction Fuzzy Hash: 82210674E00A288FCB54DF64DD5069ABBB2FB49302F1084E9C44DA7355EE349E86EF50

Function 00DAA096 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7ac28e4e2a68eaf086a2ebc0e83f8839a76f51f6b1a15a923823d7eff700c82a
Instruction ID: 85ed4dd0c2bc7d135915ed5092a9002507d32c25323afd21247e9fec5dc0cf0d
Opcode Fuzzy Hash: 7ac28e4e2a68eaf086a2ebc0e83f8839a76f51f6b1a15a923823d7eff700c82a
Instruction Fuzzy Hash: 1F214BB0A002298FCB60DF24C95079ABBB2FF89305F1004E9C64EA7345DB349E85DF65

Function 00DA833F Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a519a65ef5c6b1ea972abc878a2881717a7bf0416d06a14f651c178a3246a7e
Instruction ID: 5e6936f8095766d27840c3098cd77b19ce627953f028f706695f3db76fc167e0
Opcode Fuzzy Hash: 2a519a65ef5c6b1ea972abc878a2881717a7bf0416d06a14f651c178a3246a7e
Instruction Fuzzy Hash: 4A21F774B0072C8FCB54DF28C9507DABBB2FB4A300F1044E9D40AA7B55DA749E858F92

Function 00DAA4FC Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 27d06fefd58b2e0459d980b7ef5c84254b7fd8a26b3b79830bf66755040201c0
Instruction ID: b9125b09644b4ccb35a33281326c512eca2f418f1bf5642909880793fccaeb30
Opcode Fuzzy Hash: 27d06fefd58b2e0459d980b7ef5c84254b7fd8a26b3b79830bf66755040201c0
Instruction Fuzzy Hash: 2B212874A002288FCB56DF64D9A079EBBBAFB49700F1045EAD40EA7395DA749F818F50

Function 00DAA46C Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a19143b6e23db17fad064bb4f26672283adca919b5b273ce6a7ae382dd7666bf
Instruction ID: 6bf3ebb3105c2f6ef6cfd7038a5485feef456184d5bcde4aa50fc4e95cfa5662
Opcode Fuzzy Hash: a19143b6e23db17fad064bb4f26672283adca919b5b273ce6a7ae382dd7666bf
Instruction Fuzzy Hash: 7B21F574B002198FCB64DF24C994B9ABBB2FB4A304F1044E9D44AA7B95DB349E81DF52

Function 00DA87E5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4971fe466757ceab2d33f4a129f450ef30f313ba4a59e3b5db98604d6dd0bfcf
Instruction ID: 42de59940599e7f9fbb6b64cf66d27860a9ff7a9e5c989d91b8c85ff85b9f21d
Opcode Fuzzy Hash: 4971fe466757ceab2d33f4a129f450ef30f313ba4a59e3b5db98604d6dd0bfcf
Instruction Fuzzy Hash: 5D211774A012188FCB64EF24C99079ABBF2FB88700F1085E9D58DA7354DE349E85CF90

Function 00DA8756 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1212788bde8923c830b67b70f19a38bace92df831bc96088f6f79371318c867
Instruction ID: 3b9563c64dfca82b3160db3773ee6b5b6e33f96cfb9d933d503adaf8c9027759
Opcode Fuzzy Hash: b1212788bde8923c830b67b70f19a38bace92df831bc96088f6f79371318c867
Instruction Fuzzy Hash: 4F212674A016288FCB64DF28C9A479ABBB2FB88301F1045E9C40DA7355EF349E85DF54

Function 00DAACA8 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1242dc36e6ce69a2e434162562b0dc921ba8a7f775a43aa7ca83420c9a9787ba
Instruction ID: a9bb301092b7c1808d2768f582020f7e32f178da6727e514d47c233a51f01c0e
Opcode Fuzzy Hash: 1242dc36e6ce69a2e434162562b0dc921ba8a7f775a43aa7ca83420c9a9787ba
Instruction Fuzzy Hash: 2421D774A012188FDB54DF64C954B9AB7F2FB49304F1084EAD489A7354DF349E85CFA1

Function 00DAADC7 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73899ca551b361e456f30ed223a76f82ca0abece23ed2c45ca0bb69e4d20f4ac
Instruction ID: 4f5d45ca709756eff160c5f1e76829def4fbc8ad6b5f2c6822ff4ea4513222c2
Opcode Fuzzy Hash: 73899ca551b361e456f30ed223a76f82ca0abece23ed2c45ca0bb69e4d20f4ac
Instruction Fuzzy Hash: 19212674A012298FCB65DF64C9507DABBB2FB4A300F1048E9D54DA7354EB749E81CF92

Function 00DA8DF5 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3e9936fe56cfe51ea234ed6bfb04aa38f8c6547379469e5663fe16cebd4644a3
Instruction ID: b83df783f3f64117a8cad2b24db5fb3f8413521d716272b094822a87eee03edb
Opcode Fuzzy Hash: 3e9936fe56cfe51ea234ed6bfb04aa38f8c6547379469e5663fe16cebd4644a3
Instruction Fuzzy Hash: 6C21E8749016288FDB64DF64CD50B9BBBB2FB49302F1044EAD509A7355EF345E818F60

Function 00DAAD38 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 858489233ac8263fd82c5bd93b24678427d04a252e2efd1ff28fecc59b1d2e36
Instruction ID: 034a28db671ee3479ac8c357a5d86c0474e45bfecf3b2e14906e237335f767dd
Opcode Fuzzy Hash: 858489233ac8263fd82c5bd93b24678427d04a252e2efd1ff28fecc59b1d2e36
Instruction Fuzzy Hash: BB21D974A012188FDB54EF58C9507AAB7F2FB49300F1084EAD58DA7755DF345E818F91

Function 00DAAFA0 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f6381e68868914cccdc4d5fd955d40c0bbf455fb60c2fece6b580f7350cf6c40
Instruction ID: bd1b14ae9f9f19be4f3233be4daf458d997097a2e7c23dc1c6c81e60f0af5ac9
Opcode Fuzzy Hash: f6381e68868914cccdc4d5fd955d40c0bbf455fb60c2fece6b580f7350cf6c40
Instruction Fuzzy Hash: 0621D574E002088FCB45DFE4C99469EBBB2FF89300F208829D50AAB359EB749D45DF61

Function 00DAAF11 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1b17ea8e0bdf82a9cf715f2403173c438a7ae018404f734a7459f36bb5b8e1c5
Instruction ID: d93ac67d670ddbdcfe096c57c98149a270bafab213e454568f2fe57d71033f5f
Opcode Fuzzy Hash: 1b17ea8e0bdf82a9cf715f2403173c438a7ae018404f734a7459f36bb5b8e1c5
Instruction Fuzzy Hash: 57212874A4022C8FCB64EF64C9947DABBB2FB48300F1044EAC50D97755EB349E829FA0

Function 00DAB1D3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc30830c7184ac1ea7ca6a1d13189aad2d6229e1b4262668a970109a781d92f
Instruction ID: fcca7dd6734d2accb3e41a0fdffeb665cd5cc99acdd2e658edba779e04d51206
Opcode Fuzzy Hash: fbc30830c7184ac1ea7ca6a1d13189aad2d6229e1b4262668a970109a781d92f
Instruction Fuzzy Hash: A6212674A0022C8FCB66DF64C95079ABBFAFB4C300F5044EAD409A7355EA349F858FA1

Function 00DAB262 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c0c87ad6bf5bec59c8c1956ca18cfa4c78729a5bcb98fc7d379a03d2f11df1c
Instruction ID: bc99b9a70443122f286e9a3111c398fe085d76b5cc36ee14891049f061e8c0ee
Opcode Fuzzy Hash: 5c0c87ad6bf5bec59c8c1956ca18cfa4c78729a5bcb98fc7d379a03d2f11df1c
Instruction Fuzzy Hash: 1C212C74940219CFCB64DF64C950BAAB7B2FB48300F1088E9C50EA7754EB349E85DF60

Function 00DAB382 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5e7f04fc812c3dc6ed8d515c225b19dc661af42e99856043c0cc7074e12d925
Instruction ID: 5d8decd78dba265e58e37c565dbaaff9377baf9cc8742427dcbd0edbdb563f9a
Opcode Fuzzy Hash: c5e7f04fc812c3dc6ed8d515c225b19dc661af42e99856043c0cc7074e12d925
Instruction Fuzzy Hash: 2121F574A002288FCB65DF64C9507DEBBB2EB49300F1085EAD909A7355EB349E82DF91

Function 00DAD3A3 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7bb00e00a1ca95515cc26f79d618633850ad0b802932c7ddf04fab41f4dabd0d
Instruction ID: 0f278a907c6b0f62ae0c25d07b7d4fd33b5fdb6df27aa75239649098f4f0b5b7
Opcode Fuzzy Hash: 7bb00e00a1ca95515cc26f79d618633850ad0b802932c7ddf04fab41f4dabd0d
Instruction Fuzzy Hash: 6F2117B4A002288FCB64DF24C99079ABBB2FB49304F1088E9D64DA7755EF349E859F54

Function 00DAB411 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e940d8fdc537d3d9b547598abb8879c9d5f070ed38fb89bf71f53e493271c01d
Instruction ID: fa69c4e5918416646434acd18a50f5ac4b44bf4236dfb7b7934b9906b49c3ed7
Opcode Fuzzy Hash: e940d8fdc537d3d9b547598abb8879c9d5f070ed38fb89bf71f53e493271c01d
Instruction Fuzzy Hash: CA2119B4A4022A8FCB64DF64C990BAA7BB2FF89300F1044E9C54D97355DE349E85DF64

Function 00DA97D9 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5819b76b5022f78e7a938e5289cc8735a4aba6082d57efc4c1f4bab381574e9
Instruction ID: 7fa5cb1dd8a32ea9f0ad5928bbcccfb45f34d5ecbd4a0d9f907d79d09410c91a
Opcode Fuzzy Hash: f5819b76b5022f78e7a938e5289cc8735a4aba6082d57efc4c1f4bab381574e9
Instruction Fuzzy Hash: FC210474A0022C8FCB65EF25C95069ABBF2FB49300F1084E9C48DA7354EE359E81CF90

Function 00DA974A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 36b39dc51e15045218e350a95a1e7f3f4bce5b78a0c3092fa93cceab3e5b7717
Instruction ID: 6c798ceeb940acc1410c428e034a20c2fc486d0c43054534ce09ebf512d94f0b
Opcode Fuzzy Hash: 36b39dc51e15045218e350a95a1e7f3f4bce5b78a0c3092fa93cceab3e5b7717
Instruction Fuzzy Hash: 1A213C74A002288FCB54EF64C96079ABBB2FF4A308F1044E9D54DA7355DB349E85CF52

Function 00DAB77E Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d6cc8239041627050529206318b7eeaa3ea1bd766107a6505b1addeb70c224d
Instruction ID: dc2fb56a311b29c48124872f3958d83300366d8d24f2285f563bba1f18c1d6b0
Opcode Fuzzy Hash: 4d6cc8239041627050529206318b7eeaa3ea1bd766107a6505b1addeb70c224d
Instruction Fuzzy Hash: 88212874A026188FEB94DF64C95479ABBB2FB89300F1084E9D40DA7356EF349E85DF50

Function 00DAB9C1 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff52e9390b5b296d6d5b3c10165b4cb8d77f260d7f285a029e91e9ab56b67d42
Instruction ID: 20b180c3a539d335ba6b85452f4168395dd491121bb7c8ce4f11575bf7e8e382
Opcode Fuzzy Hash: ff52e9390b5b296d6d5b3c10165b4cb8d77f260d7f285a029e91e9ab56b67d42
Instruction Fuzzy Hash: B8213974A402688FCB54EF64C99879EBBB2FB48300F1045EAC40DA7354EB349E82CF54

Function 00DA99B2 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdf362e4296429e41fc33a3e60073ebaa3222ba2119e0dee6d8e2dd62230b604
Instruction ID: 1823c113ce9240e980b4ad3f070d20351d0f3304d048994782a8330720168655
Opcode Fuzzy Hash: bdf362e4296429e41fc33a3e60073ebaa3222ba2119e0dee6d8e2dd62230b604
Instruction Fuzzy Hash: B5210474A40229CFCB64EF64C950BAABBF2FB49300F1084E9D549A7355EF349E819F90

Function 00DABC0B Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5bd001b5d8933f353119514b73aeb414db47e79f6c8f6ae94845c88d5c800af3
Instruction ID: f4609320e99a5e083d769af472ffc008ace8876c7f71ce3c01d394a951ca06f7
Opcode Fuzzy Hash: 5bd001b5d8933f353119514b73aeb414db47e79f6c8f6ae94845c88d5c800af3
Instruction Fuzzy Hash: 60216B74A026288FDBA1DF64CD50B9ABBB2FB89300F1044E9C40DA3346DB349E86CF51

Function 00DA9D3A Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02fa7cbdfd43313225caccc27cdbf5d88b97d2398f6b75e64757b1b567138533
Instruction ID: f737c35a0dd6f03ae172976d4a44fa1e82a85241cf71510a784c964196c92449
Opcode Fuzzy Hash: 02fa7cbdfd43313225caccc27cdbf5d88b97d2398f6b75e64757b1b567138533
Instruction Fuzzy Hash: 18215A70B012298FCB60DF28C950B9ABBB2FB4A300F1044E9C04DA7B54DE749E86DF52

Function 00DA8B12 Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 661113c067db9296277cb78eed07d3534e1ad0fb50f902c81746f340040c0778
Instruction ID: 388fa4a2d7fa66e12122f89182c68e678f943be7377c16736dcd8f1d76e73329
Opcode Fuzzy Hash: 661113c067db9296277cb78eed07d3534e1ad0fb50f902c81746f340040c0778
Instruction Fuzzy Hash: 69213BB4A00209CFCB00EF59D648AAEBBF5FB49304F148855D808A7769DB79ED44CF64

Function 00D5D1CF Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112326681.0000000000D5D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D5D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_d5d000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction ID: 4db8c51d45f143c99ddb1769a7139b2229c208c92af90863def06fa5f705e39e
Opcode Fuzzy Hash: 945d3a080ad63b5e32bcc5b18ec1e97d0272151c1fb78e482730898ede984437
Instruction Fuzzy Hash: 4D118B75504280DFDB16CF14D5C4B15BBA2FB84314F28C6ADDC494B696C33AD84ACB62

Function 00DA7948 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ee1138af3686482edde6f548bc387b720a957ddec6d6cb2744b25efb1fac7bfb
Instruction ID: c904651de561fef170c4df5b5e636141c3caf87516c3ed4166290704fe02e472
Opcode Fuzzy Hash: ee1138af3686482edde6f548bc387b720a957ddec6d6cb2744b25efb1fac7bfb
Instruction Fuzzy Hash: B5115774E49209DFCB00CFB8D8449EEBBB5EF4A300F1485AAD819A7351DB359A12DF61

Function 00DAB15F Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1f1ff98d4e1ee8a54d0a0ad9e125d4bce9cc5362e0f6329e37d4045445dc1b0
Instruction ID: 3483bbee13e2483451c5f8e0948e44e27432ccb740f48e627d178079764bf9a3
Opcode Fuzzy Hash: d1f1ff98d4e1ee8a54d0a0ad9e125d4bce9cc5362e0f6329e37d4045445dc1b0
Instruction Fuzzy Hash: 18111674A01208DFCB04DFA8E994A9EBBB2FB49315F104829E809A7354EB349985CF65

Function 00DA7A15 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f449ec4f5f31a32dac23a89bb8463f14634f85268c859566564ce8a9c24e89f
Instruction ID: ad1aa1d9c23184ffce8a74e9158fcddc78836e41887ad576d099e3928444adc4
Opcode Fuzzy Hash: 7f449ec4f5f31a32dac23a89bb8463f14634f85268c859566564ce8a9c24e89f
Instruction Fuzzy Hash: 5D11F074A01218CFDB54DF58C994B99BBB2FB49308F1044A9D40DA3390EB349E85CF65

Function 00DACD25 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffeae6f2554551d39ec964a118ff41beb9d9e208050666401c1335f9b364b8b8
Instruction ID: 6f38be57ec53abfb52db1e39ce1d7d066fe48a3307478773aaeb8d8203d42f23
Opcode Fuzzy Hash: ffeae6f2554551d39ec964a118ff41beb9d9e208050666401c1335f9b364b8b8
Instruction Fuzzy Hash: AF11C874A002188FCB64DF69C994799BBF2FB49304F1484A6D40DA3794EB349E81DF65

Function 00DAA91C Relevance: .0, Instructions: 40COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41d11cfa3f33377f637b77470afa9b04b3899b9f42ffc5b0872760bfd6bb5346
Instruction ID: 31ee6d16abb5e2988ba040391ebb77e6a486f9e9614c4bbee96f14d9211de856
Opcode Fuzzy Hash: 41d11cfa3f33377f637b77470afa9b04b3899b9f42ffc5b0872760bfd6bb5346
Instruction Fuzzy Hash: 20113A74A00618CFCB60DF58C950799BBB2FB4A305F1054E9C40DA7B50DB34AE85CF61

Function 00DA857C Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b71479c90173227fb8052ec0e49a9c77e44eec487c43911ec41e982055832baf
Instruction ID: 4bf99b136dd6d6347e883c81aa19a5ac9a1a47241ef884e8134316550d1a7395
Opcode Fuzzy Hash: b71479c90173227fb8052ec0e49a9c77e44eec487c43911ec41e982055832baf
Instruction Fuzzy Hash: 2411253494021ACFCB64DF58C984BEEBBB1FB09308F1048E9C419A3744DB749E859F64

Function 00DAA61A Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dada7f57592e4bc37389ad18d8d30708170bc9e51d3dedc819e83d29bf552e42
Instruction ID: e6ad15eb0d40089c91e5be8972d9185a7ef34e90a012f2baa959358bd88abef6
Opcode Fuzzy Hash: dada7f57592e4bc37389ad18d8d30708170bc9e51d3dedc819e83d29bf552e42
Instruction Fuzzy Hash: CB110374A00318CFCBA0DF58C99079ABBB2FB49308F1044E9D409A7351DBB49E80CF60

Function 00DAAE56 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e2410b9afe48f2cff6ca659ffcc22679cc01da9532c330d5d399509b6bf2baa
Instruction ID: 2c1ea8c9baf6d98290a3cdbc1c7374274afd6741e5ca4ea3bd3c914f33100462
Opcode Fuzzy Hash: 2e2410b9afe48f2cff6ca659ffcc22679cc01da9532c330d5d399509b6bf2baa
Instruction Fuzzy Hash: BA111574A01218CFEB60DF58C89079ABBB2FB4A304F1054E9D40DA7752EB349E85CF61

Function 00DA94B9 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 34c2dae51e4ea259760a88fd0dbfdb9b85c78d75a0560d4043d8dceadd120d8c
Instruction ID: 2de45b476c1a63713e71addde2c70d2fdc9153fe3e61eec92dd2ede934a99db2
Opcode Fuzzy Hash: 34c2dae51e4ea259760a88fd0dbfdb9b85c78d75a0560d4043d8dceadd120d8c
Instruction Fuzzy Hash: 8C11F2B4A002188FCB60DF58C994789BBF2FB49304F5084A9D209A7351DB349EC58FA9

Function 00DAB6C2 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bede675c44ec58c6a819248d60cdca7ff18ab2ca7df11712de0583004998a667
Instruction ID: 60f6f28c508c085b1a11ff4a70c27713d360e52756b7cd012674dd24a4c99fa9
Opcode Fuzzy Hash: bede675c44ec58c6a819248d60cdca7ff18ab2ca7df11712de0583004998a667
Instruction Fuzzy Hash: 3611DF74A00218CFCB50DFA8C994799BBB2FB49300F1088AAD50EB7350EB749E858F65

Function 00DA98F7 Relevance: .0, Instructions: 39COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a43bc0b3d02423a06e170a80d39aa7af0c62d78fee5646d8ff8ccb118943077
Instruction ID: c90fe4911ab762d50209055b224726c333247243a896f5d9e00d89326fbdf736
Opcode Fuzzy Hash: 0a43bc0b3d02423a06e170a80d39aa7af0c62d78fee5646d8ff8ccb118943077
Instruction Fuzzy Hash: C111E374A006188FDB60DF58C990BDABBB2EB49309F1044A9C50DA7790EB349EC1DF61

Function 00DA08C0 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 520811dfd871356e87432a60d8083f964876884c8c05dc2f7d8c39cbc3e1aee7
Instruction ID: 49c7ec67b153136541cece7aa40c212cd6efb1557520974b316e55a967585595
Opcode Fuzzy Hash: 520811dfd871356e87432a60d8083f964876884c8c05dc2f7d8c39cbc3e1aee7
Instruction Fuzzy Hash: FBF0F6305083489FD705AFA8DC2569D7FB5EF8B301F404528D5009B2AADFB5590CC7B2

Function 00DAFA50 Relevance: .0, Instructions: 35COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9b34e9374a0a40108c23b5f3f17ad79aa2044ccbaec8e4f65ba4f1287ff8ebc
Instruction ID: 4b2192c14610be3da305ae4feeb7a3ec8ddddb7d566d8a5e34f1a484803de0b5
Opcode Fuzzy Hash: c9b34e9374a0a40108c23b5f3f17ad79aa2044ccbaec8e4f65ba4f1287ff8ebc
Instruction Fuzzy Hash: 6BF01431D1021B8ECB04EBA8C8061EFBBB1EF9A310F10856A9514A7140EB30264A8B91

Function 00DA7A02 Relevance: .0, Instructions: 33COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0da9eb2dba015169e70e276a232a98fcc5e4999aecc9125f7f730d1d04061304
Instruction ID: 4066de4d2c533eae0c34570c8abfbabfd0742dec8c226da29d41943000729f87
Opcode Fuzzy Hash: 0da9eb2dba015169e70e276a232a98fcc5e4999aecc9125f7f730d1d04061304
Instruction Fuzzy Hash: 7FF06834D04204EFCB04DFA8D49166D77B1EF4A305F2484A99C19C7355D7719945DFA1

Function 00DAC085 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02dc70826a47b5d8d4ea795a376a15b98527931da797beca67d0ef852e702fa5
Instruction ID: a015b2b7b0fbb225f9f606abfa49b6af785d5560c690611e2bf2427e21679660
Opcode Fuzzy Hash: 02dc70826a47b5d8d4ea795a376a15b98527931da797beca67d0ef852e702fa5
Instruction Fuzzy Hash: F401C4749002188FDB64EF64C950BAABBF2FB48300F5484A9C58DA7354DE345E859FA0

Function 00DAA125 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc6b054f64ec5d603375322881beeafd7035fcf6d888658a0a75aaada9250b9e
Instruction ID: d35dc9466266e9a82aa88748748f0c1a1ff0d3908f23efaaa2c2fd41f92563f0
Opcode Fuzzy Hash: bc6b054f64ec5d603375322881beeafd7035fcf6d888658a0a75aaada9250b9e
Instruction Fuzzy Hash: B801F674A002298FCB54DF64CA50BDABBB2FF49300F2088EAC509A7355EB749E85CF50

Function 00DAA7F7 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4d4c59636e22c01d2dd915eedd4d9e03866babbed180ca72538f68004f8065cc
Instruction ID: ea6826644559eaf6288433b1de42e5a18a162e8bcca9a2ca78dae4c919ea6456
Opcode Fuzzy Hash: 4d4c59636e22c01d2dd915eedd4d9e03866babbed180ca72538f68004f8065cc
Instruction Fuzzy Hash: F501FF74A0021C8FCB64DF54C960BDA7BB2FB48304F5044EAC40967354DB345E859FA1

Function 00DA8A7B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c509dcbc77479ddd6c827c39a1ad90fd808ddb9b92e4c96fabee300e820dfce
Instruction ID: 2807eb33e0cc8006fa4e3ea8be90a15658b9e935f66440d3df5127d918770b6d
Opcode Fuzzy Hash: 4c509dcbc77479ddd6c827c39a1ad90fd808ddb9b92e4c96fabee300e820dfce
Instruction Fuzzy Hash: AF0128B49002188FCBA4DF28C89079EBBB2FB48305F1044E9D20DA7385DE345E86DF55

Function 00DA9305 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 242c70ceffc4833cee6198aeab22517bcfbfae40b293f32e883e2f023fb94e74
Instruction ID: 7f0cece57323fab923c6fbe508c0b3cd0d1adfdbe754bb0210f2c41506447438
Opcode Fuzzy Hash: 242c70ceffc4833cee6198aeab22517bcfbfae40b293f32e883e2f023fb94e74
Instruction Fuzzy Hash: 2901D674D4421A8FCB95DF64CA50B9ABBF2FB48300F1084E9C54DA7354EE386E859F51

Function 00DAD5DF Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4397cfe0d7bead60381905c6a0764ceb2ccce4b56ec674169677c8830256388a
Instruction ID: 447c6c5ba1a1442f38bbdef20ab5daba33320af6734ba871500a144dca1745e6
Opcode Fuzzy Hash: 4397cfe0d7bead60381905c6a0764ceb2ccce4b56ec674169677c8830256388a
Instruction Fuzzy Hash: 45016D749012188FCB56DF24C96078ABBB6FB48705F1088E9D10DA3356DB349F85CF50

Function 00DAB89C Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b599658c916c33ed521d18df873bc8f0a046f7621af4734d0cfa0a48dc576249
Instruction ID: 98ccadab2cb768a0c46fb236b5e319c1d87e008b42983698da01f8e4f0156be3
Opcode Fuzzy Hash: b599658c916c33ed521d18df873bc8f0a046f7621af4734d0cfa0a48dc576249
Instruction Fuzzy Hash: E101167094021A8FCB54DF64D950BAABBB2EB88300F1085E9C11DA3344DE355E918F50

Function 00DABAE6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70541263e32003b42dc0ca49203526e115e44dd301448b96ba25637963388f54
Instruction ID: e7b244382d9b7437ca0f88b0c7d3eec5e52a9667f35309a18494ba32ffd04023
Opcode Fuzzy Hash: 70541263e32003b42dc0ca49203526e115e44dd301448b96ba25637963388f54
Instruction Fuzzy Hash: 9701287094021ACFCB64EF64C998BAABBB2FF49340F1044F9C41DA3354DA749E819F60

Function 00DADA8B Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 650ef8a0081142c07930d56b5bfc1547f0a21092462b029a26431e8662612403
Instruction ID: fa5fc64220827cfd2053d61251fdccaa00f38108f1b6c04083f3720320c15e99
Opcode Fuzzy Hash: 650ef8a0081142c07930d56b5bfc1547f0a21092462b029a26431e8662612403
Instruction Fuzzy Hash: 9801C474A00298CFCB54EF64C95079ABBF2FB48300F1089AAC48DA7394DF745E859F90

Function 00DA7BE6 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 55177e451ef71bf474809c610e0ea26f3ebd4d087f1854b8642669b1a82a15ab
Instruction ID: 0af61c787982b8927174ddf0b71fdcdcaf3fb986de4b4ceb1c5ff5a10454d06d
Opcode Fuzzy Hash: 55177e451ef71bf474809c610e0ea26f3ebd4d087f1854b8642669b1a82a15ab
Instruction Fuzzy Hash: B9012474A082288FDB54DF24C95478ABBB3EB88308F1045EAD10DA7344DF369E958F50

Function 00DAE2E1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 63b1a2a72ee9cead16fc8cf02767559650ebc757e6d750e1e8281189fd3f5f1b
Instruction ID: 25aad268088f0530164ce8e2fc0adeb71d62e8f1bbe4340abdbf2dad805b8651
Opcode Fuzzy Hash: 63b1a2a72ee9cead16fc8cf02767559650ebc757e6d750e1e8281189fd3f5f1b
Instruction Fuzzy Hash: BE01E474B012288FCB55DF24C95079ABBB2EF8A300F5084E9D58DA7354DA749E85CF62

Function 00DAE252 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a63d1d759d75644b4c8a6357e5d6e70e61f4276f5eea9f5cc58ce95e0aaec4b7
Instruction ID: 64483edd163da7732d887657bb3d48934b5d1339ead55ec10e59cf798fe57a32
Opcode Fuzzy Hash: a63d1d759d75644b4c8a6357e5d6e70e61f4276f5eea9f5cc58ce95e0aaec4b7
Instruction Fuzzy Hash: 1E012874B002188FCB60DF24C95469ABBB2FB4A300F1088E9C04EA3744DF345E85DF52

Function 00DAA24A Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d791531bdab3a5becfa5fc33a8d824a1e7d509f263f3aff81081b4d8e00812d9
Instruction ID: 7107d369e2774319207c0481355906aee552d36c5514f558cbf9986f784464ee
Opcode Fuzzy Hash: d791531bdab3a5becfa5fc33a8d824a1e7d509f263f3aff81081b4d8e00812d9
Instruction Fuzzy Hash: 75F0C474A002088FDB65DFB9C59069EBBB2FB49300F30452ED51AA7356EB349D468F51

Function 00DAC239 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6616a715597ef2fd6beb0e1f7267f1bb477d20170eccf76f2ce4a9d3e014330
Instruction ID: 665b9ce2578b16a1c2477068240c3808dd1f2bdbfbd8eca6aaff56223e2ec2c6
Opcode Fuzzy Hash: c6616a715597ef2fd6beb0e1f7267f1bb477d20170eccf76f2ce4a9d3e014330
Instruction Fuzzy Hash: F4016930A0162A8FCB64DF64DDA07AABBB2FB48301F0044EAD50D93744EE34AE81DF50

Function 00DAE3FF Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3809cc8fac125c94cb1125b0d6b62627f89f2a5e96e98a02ef3ace44f7563551
Instruction ID: 47712b90183ee49f90c831ec8d46ca9cad9e218478a6534f29345a26cb95f655
Opcode Fuzzy Hash: 3809cc8fac125c94cb1125b0d6b62627f89f2a5e96e98a02ef3ace44f7563551
Instruction Fuzzy Hash: 23013C74A012288FCB64EF24C99979ABBB2FF49300F1048E9D40DA7755DB349E81CF50

Function 00DAA34D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c23d91c59cf4f838e001e198eb671839c94167f96ed71eec613bdb8da8556669
Instruction ID: f20a186a80c12ecf0c86db86cc694ceb43e24c32a3d45530bff06c8b62d5e5ff
Opcode Fuzzy Hash: c23d91c59cf4f838e001e198eb671839c94167f96ed71eec613bdb8da8556669
Instruction Fuzzy Hash: AF01E474E092288FCB95DF28C960B9ABBB2FB48700F1044E9D40D97355DB38AE81CF91

Function 00DAC4A4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 71a087a2fcda7965abc1d56a72b1df1c7c444b487a048fc9deeb784c0b472221
Instruction ID: 3d19d3ddd0e9001504c7c7097ab5718240e10a07a10db446025a490204bb1e6d
Opcode Fuzzy Hash: 71a087a2fcda7965abc1d56a72b1df1c7c444b487a048fc9deeb784c0b472221
Instruction Fuzzy Hash: 31011DB49001188FCB54DF54C950799BBB2FB48304F1084EAD749A7355DB749E86CF68

Function 00DAC5C2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 946c15c1b20ed54ec7706bd6152ce978b0462936500320c67cd0509941b742f0
Instruction ID: 7067b998884332b5e6b82169ee4d6044dc3bf120543d6bcc0bd4f078c37756e7
Opcode Fuzzy Hash: 946c15c1b20ed54ec7706bd6152ce978b0462936500320c67cd0509941b742f0
Instruction Fuzzy Hash: 3F01FB74A012188FCB54EF54C95079ABBB3FF8A300F1044EAD549A7355EF355E918F52

Function 00DA8638 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: baa5e16c90040db8b80f811546d056c5afe558ca75f49a14425b179867e227da
Instruction ID: 83f5852465debfea294b207a7bb51908c3601476b0ce4f4d909da8d096814fb4
Opcode Fuzzy Hash: baa5e16c90040db8b80f811546d056c5afe558ca75f49a14425b179867e227da
Instruction Fuzzy Hash: 59011974A0022C8FCB59DF24C991BDABBB2FB4D300F1085E9C54997355EA349E828F90

Function 00DAE84D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c5c8469962841ed38faa6b57f0b85ee8335ebfab21fc3e3ad4a7d6ace430cbba
Instruction ID: 55a029880d587a6d9bb8955c57740cc030707bc0a28b4dc99e9b1368020a1fc5
Opcode Fuzzy Hash: c5c8469962841ed38faa6b57f0b85ee8335ebfab21fc3e3ad4a7d6ace430cbba
Instruction Fuzzy Hash: 4E01FB74D04218CFCB55DF24C95079AB7B2FB49300F1046E9D64DA7354DB78AE818F51

Function 00DAE9FB Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b329679f742bb0b9d49f08502f1aeca3f6c86b052438bcd5db09225c2abc364e
Instruction ID: 19becf90fc637ef26f678a5530da12a412a82a3fb874114ae7729aa0ef0f8c20
Opcode Fuzzy Hash: b329679f742bb0b9d49f08502f1aeca3f6c86b052438bcd5db09225c2abc364e
Instruction Fuzzy Hash: AB011D749009188FCB64DF58CD6079ABBB2FB49306F1084E9C40DA7755EB345E85DF50

Function 00DACBBE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecf9263c23b5687cc12d110477ee36d87131b776f7343cb5e83a511ce0253fd3
Instruction ID: 9f41dab0e80f7a528f4bcc7b3e84f0dbb7a64219ee9f8ecf660645e8f5064da3
Opcode Fuzzy Hash: ecf9263c23b5687cc12d110477ee36d87131b776f7343cb5e83a511ce0253fd3
Instruction Fuzzy Hash: DA0128749012188FDB56DF94C954B89B7B6FB49700F1054E9D50DB3344DB749F818F50

Function 00DA8B2B Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a1c0661d6fcfccf284854d9e3b7594adca682a80050a8f9dce979f8bdeb0162
Instruction ID: c66627788d75d669cab97659301ef7497242b66b775ea35f624601f3a5af764e
Opcode Fuzzy Hash: 0a1c0661d6fcfccf284854d9e3b7594adca682a80050a8f9dce979f8bdeb0162
Instruction Fuzzy Hash: 7C01E474E04A288FCBA5DF64CD907DABBB2FB48305F1044E9D40EA7354DA78AE858F51

Function 00DACB2F Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b6f45d8a8cd46937c5477ac24f10217d9152330eb0d51cd749ec7c454a663e57
Instruction ID: 5d9c12482911a0be4c5cc7f0e6625daf72c68fa3c9efade5924a7b2f42da6020
Opcode Fuzzy Hash: b6f45d8a8cd46937c5477ac24f10217d9152330eb0d51cd749ec7c454a663e57
Instruction Fuzzy Hash: A10131749002188FCB54DF94C95079ABBB6FB48318F1084E9D44DA7365DF749E85DF60

Function 00DA8CD8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705f87965146fdbe22f078c32a62659ef0962c66fbfb0662f5122648f83f5066
Instruction ID: 9cdb11f4a6af145563c0c85469cbbcd8190da3e0b9a28751bb64a511f71cfce9
Opcode Fuzzy Hash: 705f87965146fdbe22f078c32a62659ef0962c66fbfb0662f5122648f83f5066
Instruction Fuzzy Hash: EC01E8749002188FCB95DF14C9506997BF6FF48301F10C5E9C489A7355DE345E898F91

Function 00DAAC18 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6110996fee470c85e9548c0db6cb9934009d6db383caa44b454d8a5b1b480d04
Instruction ID: 4891d6d1d4454105fdd466c1021b378389ffdfcfc30e916e96e9730b0fcee4b5
Opcode Fuzzy Hash: 6110996fee470c85e9548c0db6cb9934009d6db383caa44b454d8a5b1b480d04
Instruction Fuzzy Hash: DC0128B49002188FCB60DF68C99079A7BB2FB49300F1044F9C60D97704DB349E85DF65

Function 00DAEC38 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e91c2bffc6f316dc9ecd00ba485a6f14aeb3e7eef8131a35cdabc4c594aa1043
Instruction ID: fd8e60454056d98e31da2071ea7bc5b23edc6567e6e7392ae95e7facc94a4963
Opcode Fuzzy Hash: e91c2bffc6f316dc9ecd00ba485a6f14aeb3e7eef8131a35cdabc4c594aa1043
Instruction Fuzzy Hash: FA0131749012988FDB54DF54C95679EBBB6FB88304F1044EAC44DA7356DB349E81CF50

Function 00DA8E84 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e1b0f684746f7a2d3fbcdf6a30b84edf6f37d0487de3e3c6fb878fd38c345775
Instruction ID: 26f05400d7ff44299fbac72cfb80d41a972b5e679b7fe41b26cfcf92434863dd
Opcode Fuzzy Hash: e1b0f684746f7a2d3fbcdf6a30b84edf6f37d0487de3e3c6fb878fd38c345775
Instruction Fuzzy Hash: ED011974A063288FEB64DF24EA9079ABBB2FB89310F1044E9C40D97356DB349E81DF50

Function 00DA8FA9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c174fe0bf09c52f50f7e981a7f59881bef3516c8caefec8a75fed2822c7fdca3
Instruction ID: 41919ac2ae30c3c35b3f061b95a68d92f4450f114e41663cb37813b939fc2d05
Opcode Fuzzy Hash: c174fe0bf09c52f50f7e981a7f59881bef3516c8caefec8a75fed2822c7fdca3
Instruction Fuzzy Hash: 8B01E474E042288FCBA5DF24C99079ABBB2EB49300F1044E9D44DA7354EB38AE81DF51

Function 00DAEF38 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c38aa842692d08d60fcb7d2490d5c597d9c03ef0c23fecaca2e0cf9363e761f
Instruction ID: 6203fac3e35a351c16ff3b1fe24f93d5bec6da8484c4db82eac4c82bce719277
Opcode Fuzzy Hash: 4c38aa842692d08d60fcb7d2490d5c597d9c03ef0c23fecaca2e0cf9363e761f
Instruction Fuzzy Hash: C2F03470A04248AFCB45CFA8D885698BFB1EF4A310F14C0AAE844DB311D2325A52DB41

Function 00DA90C8 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 289d4130dd4f9bdca88bb23700b0c2e5afad06515cb0be90bf2e44424b39bff5
Instruction ID: 2e819a4a10ad4cbfe8f43a99af311c20801d219298ac9faeed2b7e38f9360a23
Opcode Fuzzy Hash: 289d4130dd4f9bdca88bb23700b0c2e5afad06515cb0be90bf2e44424b39bff5
Instruction Fuzzy Hash: FB01EF74A042288FCB65DF24C9506EABBB2FB49300F5046E9D54DA7354EB359E81CFA0

Function 00DAD042 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5919e076e8001dde2a7f9ff40a09aeb705d930b24b7fd552a79bb2dca648871e
Instruction ID: 89a01f67dc03e2c3b387d4d42f6a618f7c160ec2428339869d82801d16c29e58
Opcode Fuzzy Hash: 5919e076e8001dde2a7f9ff40a09aeb705d930b24b7fd552a79bb2dca648871e
Instruction Fuzzy Hash: 3F01F674A002288FCB55EF24C9507DABBB2FB49300F1049E9C589A7354DBB49EC18FA1

Function 00DAD167 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc69c7376a4de75c13042a0be205a3cc382df9d765fc6272b550aa027375e60f
Instruction ID: bdd1a2a44f5f3d32ce373a2b5d93d8352cfe6a83b30535949095a44930b1cf3a
Opcode Fuzzy Hash: bc69c7376a4de75c13042a0be205a3cc382df9d765fc6272b550aa027375e60f
Instruction Fuzzy Hash: 2B01E8749042188FCB54DF64C95469A7BF2FB49300F60C4E9D58DA7358DE349E859F90

Function 00DAB2F2 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f5ac9623427fcc2f0bc958256c68a7721cb6017e142c30197a0e8f9dc414e932
Instruction ID: 073c4535a05ae9d36f6c845e18d02e08eea9566dd6cdfe50d61fde50dfce5b6d
Opcode Fuzzy Hash: f5ac9623427fcc2f0bc958256c68a7721cb6017e142c30197a0e8f9dc414e932
Instruction Fuzzy Hash: 7701F674A0035C8FCB64EF64C95479ABBB2FB4A300F1085E9D50A93B54EB389E85DF52

Function 00DAD4C1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b645b7b1ccccd5f304560d1e321bc9d6ad1c137b7035e7ec6f7590e9e731624
Instruction ID: 1d65b38630f831e4d04b1eb02d60ef0e01f3444e4133073ae5638aacf709c4ab
Opcode Fuzzy Hash: 9b645b7b1ccccd5f304560d1e321bc9d6ad1c137b7035e7ec6f7590e9e731624
Instruction Fuzzy Hash: C501FB74900A588FCB54DF28CD6079B7BB2FB48302F5044E9C44DA7354EA355E85DF50

Function 00DAB4A0 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 80ad1ec7788badee77d7b1ba8c5515c416037187d736d68893a46c9b0c933c99
Instruction ID: 7fbcaa2b53844b08fc3674ab439d65f9e458719b4cadfab062491261913e582d
Opcode Fuzzy Hash: 80ad1ec7788badee77d7b1ba8c5515c416037187d736d68893a46c9b0c933c99
Instruction Fuzzy Hash: 0FF01D74E00208CFCB55DFA8C55069EBBB2FF49300F20442AD549A7355EB34AD46DF61

Function 00DAB5A4 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 76e6c86b5368418bee22918923703a61edc4a4695b4bc6838ccf58eab08ad622
Instruction ID: b61f460af02fda1cefe163e37db4b5e3dc510ed786787607894461c18498916d
Opcode Fuzzy Hash: 76e6c86b5368418bee22918923703a61edc4a4695b4bc6838ccf58eab08ad622
Instruction Fuzzy Hash: B7011D74A043188FCB65DF68CA50799B7B2FB49304F1044E9C50D97756EB34AE81DF51

Function 00DAD8DE Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a9b976ef0f86de1c14bc0431a1d55619a328b90baaef683feef887cba02b8397
Instruction ID: f555972a27329c0e03926c9dabe4cbe37b9574e84ec180a1ae7e2f07ba01f003
Opcode Fuzzy Hash: a9b976ef0f86de1c14bc0431a1d55619a328b90baaef683feef887cba02b8397
Instruction Fuzzy Hash: 5B0119B4A022288FEB55DF64C99079ABBB2FB89300F1044E9C509A7356DB769E85CF50

Function 00DAB80D Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06c80ca3bbbeb7bdf623841129d72060adfb43cceda1794522ac8039f3738350
Instruction ID: ead2255b48515bf783fa04d82d7d37ee99e4e94a0ed7a40d941df4bd4f7aa59d
Opcode Fuzzy Hash: 06c80ca3bbbeb7bdf623841129d72060adfb43cceda1794522ac8039f3738350
Instruction Fuzzy Hash: 7F01FB78A002188FCB64DF54C95079E7BB2FB89300F1044E9D50D97B54DF745E819F52

Function 00DAB932 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: df8128daca603a31fca347fa8c253c7426aa66e9a20d1926b3d96cc4572e5399
Instruction ID: cb03e624116e0d9a0c7b0abca8977705607f424129d579751c8ea6d6ccf30ddf
Opcode Fuzzy Hash: df8128daca603a31fca347fa8c253c7426aa66e9a20d1926b3d96cc4572e5399
Instruction Fuzzy Hash: 8F014631A001288FCB60EFA4D95479ABBB2FB4C300F1084EAC409A3315EE349E859F60

Function 00DA9AD1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50fdeffe4b7bac9f9e903ab6a2bbfe8c7d1fce8355fadaa6095b2aed5d9ab26e
Instruction ID: 3fb30286d9a970922751f01e3180415bc8a77ee077a2ee903b208afd4815d863
Opcode Fuzzy Hash: 50fdeffe4b7bac9f9e903ab6a2bbfe8c7d1fce8355fadaa6095b2aed5d9ab26e
Instruction Fuzzy Hash: F801E474A00A288FCB94DF68CD5069ABBB3FB88306F1045E9C409A7354DF369E998F50

Function 00DADBD1 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1c6bd24a11aa00fa6b09a5a80f85786e500867e2ea01e3bcb922d3e5c9d2bb76
Instruction ID: dccbef06350b55a23d5c534e3517351edefcddbb9c82c4182e8d82bef4592231
Opcode Fuzzy Hash: 1c6bd24a11aa00fa6b09a5a80f85786e500867e2ea01e3bcb922d3e5c9d2bb76
Instruction Fuzzy Hash: 2A01E8B498221ACFEB54DF24CA547AA7BB2FB88300F1046F9D419E3356DB349E858F50

Function 00DA9DC9 Relevance: .0, Instructions: 28COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 960eb79b2cfdfd389617867b7abbacfc5355c457a8026509491a41c63f3c594e
Instruction ID: e2fbb807be3c7ee4320c397306b016c46d56169574560e1a9e41673e1de087af
Opcode Fuzzy Hash: 960eb79b2cfdfd389617867b7abbacfc5355c457a8026509491a41c63f3c594e
Instruction Fuzzy Hash: 8B011974A012288FDB64DF24C991B9ABBB3FB88300F1045E9C50D97355DE369E91CF50

Function 00DAF5F9 Relevance: .0, Instructions: 26COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 104ec9bb9da8ff035eebabca5d11ae4084d70a5619c086e4be482660a41f9864
Instruction ID: e51804b849f1f8fcb6e530e38f64575d20838405c846a76c964dd11603494fa3
Opcode Fuzzy Hash: 104ec9bb9da8ff035eebabca5d11ae4084d70a5619c086e4be482660a41f9864
Instruction Fuzzy Hash: C5F03430E04288AFCB42CFA8D4916ACBFB1EF4A214F1881EAC85897312D2365A16DF41

Function 00DA7991 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 711ade537b6b2af31587dd25f773865a5c6ec74e0099b5a5c6b12458b1935b30
Instruction ID: 8f7beef4df33d1fa70a9010ec159c1efe1592c1f7926cc8ee5313c4c7fda6f30
Opcode Fuzzy Hash: 711ade537b6b2af31587dd25f773865a5c6ec74e0099b5a5c6b12458b1935b30
Instruction Fuzzy Hash: 50F0F270E05248AFCB50DFB8D986ADDBFB1EB49314F18C1AAD81897312D7329A56CF41

Function 00DAEF48 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 345e3e42f744fdc41a39e6a4c0007673682f87b074c2f5deaaabde8501572ea8
Instruction ID: da7639b7e70c676838bf6bec8ba083cbba2f99ff3dcc7b18e2b54fc12271c7a8
Opcode Fuzzy Hash: 345e3e42f744fdc41a39e6a4c0007673682f87b074c2f5deaaabde8501572ea8
Instruction Fuzzy Hash: C0E0C274E00208EFCB44DFA8D945A9CBBF1EB48310F10C1AAA818A3340D732AA51DF95

Function 00DAE5D2 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e14b30924a9e6e3e989c9b118577c7a624b5b9b3c64fa0f1f6a48daa5b3dbab5
Instruction ID: 3937cd0dc474a6cd8d0602f24a17ed412872be177ccde81028c2f6e80bd609c3
Opcode Fuzzy Hash: e14b30924a9e6e3e989c9b118577c7a624b5b9b3c64fa0f1f6a48daa5b3dbab5
Instruction Fuzzy Hash: 2FE0ED34D092598FCB11DF24C9406ADB7B5FF46304F2489E6C84DA3245EB749E46DFA1

Function 00DA7423 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca4429f48324f9cf7fad175b5e8cdf558db83d406e7f8b891960200c1b62425
Instruction ID: da4f48bbfc3ec67590138dfdbd748624846b12c24d642518bbfb3bc529b179e0
Opcode Fuzzy Hash: 5ca4429f48324f9cf7fad175b5e8cdf558db83d406e7f8b891960200c1b62425
Instruction Fuzzy Hash: 71E04F34905244DFC706DFA8D85169CBFB0EF4A205F5880E9DC449B362D6319D57D792

Function 00DAF608 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d07e2fe6fb2889096bf2aa37d945703cbe3e3a76deb52874b936ef04680ca756
Instruction ID: 1c71c2f492efc33dc2f0400b4d189c52d15c0738bcd24f0fd7bb98eca8eec124
Opcode Fuzzy Hash: d07e2fe6fb2889096bf2aa37d945703cbe3e3a76deb52874b936ef04680ca756
Instruction Fuzzy Hash: 23E07574E00208EFCB44DFA8D545A9DBBF4EB48315F14C1A9981893351D7369A51DF91

Function 00DA0891 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6fc9e78ea126ef7c727afd8baeb25592dce63646c77a3149dc373f4fda6a5b92
Instruction ID: 8c32a0568b7d88cb2900c5de182f0f4f50c0dd29759fd9c49c7541c6d8d33aab
Opcode Fuzzy Hash: 6fc9e78ea126ef7c727afd8baeb25592dce63646c77a3149dc373f4fda6a5b92
Instruction Fuzzy Hash: 95D0132014E3854FD71367649C543647F745B07316FC90192D944C65E3C7DD5459C3BB

Function 00DA08A0 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2112657300.0000000000DA0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00DA0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_da0000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 641c88f917df7eac4ce3c8b6e481d94b50c561c8321249f6cdb15441917a0357
Instruction ID: 475b83f11cf07e9ffdb625c5a584074818c1aa699cafdca3b96ef5c01552c206
Opcode Fuzzy Hash: 641c88f917df7eac4ce3c8b6e481d94b50c561c8321249f6cdb15441917a0357
Instruction Fuzzy Hash: 38B09B3004171486D5156794F9097647A98670631BFC40110A90D41561C7A59450C5FF

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use methods of capturing user input to obtain credentials or collect information. During normal system usage, users often provide credentials to various different locations, such as login pages/portals or system dialog boxes. Input capture mechanisms may be transparent to the user (e.g. Credential API Hooking ) or rely on deceiving the user into providing input into what they believe to be a genuine service (e.g. Web Portal Capture ).
Tactics:	Collection, Credential Access
Data Sources:	Driver: Driver Load, File: File Modification, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Windows Registry: Windows Registry Key Modification
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Unpacked PEs

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\MsBuild.exe.log

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\file.exe.log

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Network Behavior

Network Port Distribution

Windows Analysis Report
file.exe

Function 6E12B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Function 06700EB3 Relevance: 29.6, Strings: 23, Instructions: 800
COMMON

Function 6E11B6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Function 6E122970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Function 6E11AF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Function 6E12D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Function 6E12D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Function 6E1244C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Function 6E12BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Function 6E1264D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Function 6E12CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Function 6E11A350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Function 6E12CD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Function 6E1266A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Function 6E12840E Relevance: 13.8, APIs: 9, Instructions: 332
COMMON