Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
Analysis ID:	1543365
MD5:	992a36edccd6fb4db6aad9c43329cb04
SHA1:	5276588b19a213b10a8c25c6c08e11d4621124d5
SHA256:	b157d6d7519daf5b2ca2b514d6291d3df5c1971884ff429e48045bd7161ca369
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Hides threads from debuggers

Tries to detect sandboxes and other dynamic analysis tools (window names)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse usering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found evasive API chain checking for process token information

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe (PID: 5980 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5: 992A36EDCCD6FB4DB6AAD9C43329CB04)

conhost.exe (PID: 5308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 5812 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4824 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

certutil.exe (PID: 6392 cmdline: certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 MD5: 0DDA4F16AE041578B4E250AE12E06EB1)

find.exe (PID: 5100 cmdline: find /i /v "md5" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

find.exe (PID: 5328 cmdline: find /i /v "certutil" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

cmd.exe (PID: 7156 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 6704 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3636 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 5716 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1104 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E8F990 BCryptGenRandom,

0_2_00E8F990

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000000.2134340036.0000000000EC1000.00000002.00000001.01000000.00000003.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_1f749c83-4

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E63BEB GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,

0_2_00E63BEB

Source: Joe Sandbox View

IP Address: 104.26.1.5 104.26.1.5

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/..~
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/8
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/E

Source: unknown	Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49712

Source: unknown

HTTPS traffic detected: 104.26.1.5:443 -> 192.168.2.6:49712 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E4EDB0 GetModuleHandleW,GetProcAddress,NtSetInformationThread,VirtualAlloc,VirtualAlloc,VirtualFree,GetModuleFileNameW,GetShortPathNameW,GetEnvironmentVariableW,ShellExecuteW,NtTerminateProcess,GetCurrentProcess,NtTerminateProcess,GetWriteWatch,VirtualFree,VirtualFree,VirtualFree,GetModuleHandleW,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LoadLibraryA,GetProcAddress,OpenProcess,CloseHandle,CreateFileA,CloseHandle,GetProcessHeap,HeapWalk,memset,GetCurrentThread,GetThreadContext,

0_2_00E4EDB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E321F0	0_2_00E321F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E6C150	0_2_00E6C150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4EDB0	0_2_00E4EDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E8D550	0_2_00E8D550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E51670	0_2_00E51670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E3A610	0_2_00E3A610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E368D0	0_2_00E368D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E358B0	0_2_00E358B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E28060	0_2_00E28060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E3B822	0_2_00E3B822
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4D020	0_2_00E4D020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E46020	0_2_00E46020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E24800	0_2_00E24800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4B000	0_2_00E4B000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E481D6	0_2_00E481D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4B960	0_2_00E4B960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E52950	0_2_00E52950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E23920	0_2_00E23920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E46AD0	0_2_00E46AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E24350	0_2_00E24350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4B320	0_2_00E4B320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E8CB30	0_2_00E8CB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E444A0	0_2_00E444A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4ACB0	0_2_00E4ACB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4BC90	0_2_00E4BC90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E49D80	0_2_00E49D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E40D00	0_2_00E40D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E31ED0	0_2_00E31ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4B640	0_2_00E4B640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4D7C0	0_2_00E4D7C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E38FA0	0_2_00E38FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E47FA0	0_2_00E47FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4A7B0	0_2_00E4A7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E64763	0_2_00E64763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E82710	0_2_00E82710

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1104

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@20/6@1/2

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess5980
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5308:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\1ffb3444-e011-401c-bb20-355d40057d6d

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

ReversingLabs: Detection: 42%

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "md5"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1104
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static file information: File size 1236992 > 1048576

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E50910 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualFree,

0_2_00E50910

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E560C8 push esp; ret		0_2_00E560C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E37CDA push ebx; retn 0002h		0_2_00E37CE5

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect virtual machines (IN, VMware)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E514A0 in eax, dx

0_2_00E514A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Memory allocated: 3360000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Memory allocated: 3460000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Memory allocated: 3830000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Check user administrative privileges: GetTokenInformation,DecisionNodes

graph_0-23079

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

API coverage: 8.9 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 6448

Thread sleep count: 42 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

0_2_00E63BEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E50E60 GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_00E50E60

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 80 4d 99 30 0e 9c-c1 9b 2a 23 ea 1f c4 20
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E4EDB0 NtSetInformationThread 000000FE,00000011,00000000,00000000

0_2_00E4EDB0

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Open window title or class name: windbgframeclass

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E64AD5 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00E64AD5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E50E60 VirtualProtect 00000000,?,00000140,00000000

0_2_00E50E60

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E50910 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualFree,

0_2_00E50910

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4EDB0 mov eax, dword ptr fs:[00000030h]	0_2_00E4EDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4EDB0 mov eax, dword ptr fs:[00000030h]	0_2_00E4EDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E578C0 mov eax, dword ptr fs:[00000030h]	0_2_00E578C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E57040 mov eax, dword ptr fs:[00000030h]	0_2_00E57040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E52950 mov eax, dword ptr fs:[00000030h]	0_2_00E52950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E52950 mov eax, dword ptr fs:[00000030h]	0_2_00E52950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E59920 mov eax, dword ptr fs:[00000030h]	0_2_00E59920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E59920 mov eax, dword ptr fs:[00000030h]	0_2_00E59920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E59920 mov eax, dword ptr fs:[00000030h]	0_2_00E59920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E59920 mov eax, dword ptr fs:[00000030h]	0_2_00E59920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53930 mov eax, dword ptr fs:[00000030h]	0_2_00E53930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E51A10 mov eax, dword ptr fs:[00000030h]	0_2_00E51A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E51A10 mov eax, dword ptr fs:[00000030h]	0_2_00E51A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E56390 mov eax, dword ptr fs:[00000030h]	0_2_00E56390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53360 mov eax, dword ptr fs:[00000030h]	0_2_00E53360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E57480 mov eax, dword ptr fs:[00000030h]	0_2_00E57480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E565C7 mov eax, dword ptr fs:[00000030h]	0_2_00E565C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E4EDA0 mov eax, dword ptr fs:[00000030h]	0_2_00E4EDA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E505B0 mov ecx, dword ptr fs:[00000030h]	0_2_00E505B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E58D80 mov eax, dword ptr fs:[00000030h]	0_2_00E58D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E58D80 mov eax, dword ptr fs:[00000030h]	0_2_00E58D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53550 mov eax, dword ptr fs:[00000030h]	0_2_00E53550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53550 mov eax, dword ptr fs:[00000030h]	0_2_00E53550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E57D00 mov eax, dword ptr fs:[00000030h]	0_2_00E57D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5AE20 mov eax, dword ptr fs:[00000030h]	0_2_00E5AE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5AE20 mov eax, dword ptr fs:[00000030h]	0_2_00E5AE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5AE20 mov eax, dword ptr fs:[00000030h]	0_2_00E5AE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5AE20 mov eax, dword ptr fs:[00000030h]	0_2_00E5AE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E55E00 mov eax, dword ptr fs:[00000030h]	0_2_00E55E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E58600 mov eax, dword ptr fs:[00000030h]	0_2_00E58600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E567C1 mov eax, dword ptr fs:[00000030h]	0_2_00E567C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E567C1 mov eax, dword ptr fs:[00000030h]	0_2_00E567C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5A770 mov eax, dword ptr fs:[00000030h]	0_2_00E5A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5A770 mov eax, dword ptr fs:[00000030h]	0_2_00E5A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5A770 mov eax, dword ptr fs:[00000030h]	0_2_00E5A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5A770 mov eax, dword ptr fs:[00000030h]	0_2_00E5A770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53710 mov eax, dword ptr fs:[00000030h]	0_2_00E53710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E53710 mov eax, dword ptr fs:[00000030h]	0_2_00E53710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5571B mov eax, dword ptr fs:[00000030h]	0_2_00E5571B
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E5571B mov eax, dword ptr fs:[00000030h]	0_2_00E5571B

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

0_2_00E4EDB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E64AD5 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00E64AD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00E6430F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_00E6430F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Memory protected: page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E53360 VirtualAllocEx,OpenThread,SuspendThread,GetThreadContext,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_00E53360

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E2E840 VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,GetExitCodeProcess,Sleep,GetExitCodeProcess,ReadProcessMemory,Sleep,malloc,memset,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,WriteProcessMemory,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,

0_2_00E2E840

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_00E63EAF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E64CE5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_00E64CE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_00E28060 _invalid_parameter_noinfo_noreturn,GetUserNameA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_00E28060

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	32 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	42%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.1.5	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/alt-svc.html#	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://keyauth.win/api/1.2/8	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://upx.sf.net	Amcache.hve.14.dr	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html#	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/alt-svc.html	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/http-cookies.html	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/hsts.html#	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://keyauth.win/api/1.2/	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/..~	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/E	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.2217484239.00000000015FE000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.1.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543365
Start date and time:	2024-10-27 18:42:45 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 5m 25s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	17
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@20/6@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 64% Number of executed functions: 27 Number of non-executed functions: 142
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 104.208.16.94
Excluded domains from analysis (whitelisted): client.wns.windows.com, ocsp.digicert.com, otelrules.azureedge.net, login.live.com, slscr.update.microsoft.com, blobcollector.events.data.trafficmanager.net, ctldl.windowsupdate.com, umwatson.events.data.microsoft.com, fe3cr.delivery.mp.microsoft.com, onedsblobprdcus16.centralus.cloudapp.azure.com
Not all processes where analyzed, report is missing behavior information
VT rate limit hit for: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Simulations

Behavior and APIs

Time	Type	Description
13:43:45	API Interceptor	1x Sleep call for process: WerFault.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.1.5	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.6030.29502.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Trojan.Generic.36879400.484.7364.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.6639.30242.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.Evo-gen.24402.15705.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win64.MalwareX-gen.25010.24037.exe	Get hash	malicious	Unknown	Browse
	lvXRlexBnb.exe	Get hash	malicious	Unknown	Browse
	oMBUxRQ4cj.exe	Get hash	malicious	Unknown	Browse
	G9e272AEyo.exe	Get hash	malicious	Unknown	Browse
	Frozen_Slotted.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	f6ffg1sZS2.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	wo4POc0NG1.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	K3SRs78CAv.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.95.91
	file.exe	Get hash	malicious	Stealc, Vidar	Browse	172.64.41.3
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91
	file.exe	Get hash	malicious	LummaC	Browse	104.21.95.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	sadfwqefrqw3f.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win64.Evo-gen.20107.17462.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.FileRepMalware.12025.7543.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1319832.32667.20795.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	104.26.1.5
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	104.26.1.5
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	104.26.1.5
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	104.26.1.5
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	104.26.1.5

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9ffa6a94f5231de6490ea3ae72ad68e315c65_678091f3_28510c0d-5783-4216-b77c-15c8c303aad7\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9221590033519892
Encrypted:	false
SSDEEP:	96:q5FSSR7zsKhGQ7LVSFQXIDcQ8c6DFcE6cw32+HbHg/opAnQzOqg7TKENdUzX0i1j:io0P70ytgrjb5zuiFoZ24IO8mM
MD5:	070984A02152624D0A3A40445ADEA878
SHA1:	7E14C058B958B6F81485F14DFB6798E624B8C2AE
SHA-256:	6BCA22E4A7610A2F9F3CFEC5F0E560ED5E4718CDA1AF0F5428812EEC838C9651
SHA-512:	AF0EB6D0E6390760146F5A2E71CE8FB1FD74630E965F5C98847959C30B8EB20AE6AC14A39A00DA5674DEFBAE6355C0941794009A5CBA0B3795BDB4B681E7BA19
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.2.4.6.2.1.7.2.6.8.6.0.5.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.2.4.6.2.2.3.3.6.2.4.2.6.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.2.8.5.1.0.c.0.d.-.5.7.8.3.-.4.2.1.6.-.b.7.7.c.-.1.5.c.8.c.3.0.3.a.a.d.7.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.5.3.0.a.3.0.7.e.-.6.b.c.0.-.4.2.c.7.-.8.8.c.3.-.9.8.c.c.6.d.8.3.1.e.8.8.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...G.e.n.e.r.i.c.K.D...7.4.4.4.4.4.2.8...1.7.3.3.6...1.0.1.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.1.7.5.c.-.0.0.0.1.-.0.0.1.5.-.3.0.9.9.-.6.0.c.0.9.7.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9362.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 17:43:42 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	101972
Entropy (8bit):	1.7277431807950245
Encrypted:	false
SSDEEP:	384:1cYhkYdps0CqtTLpzthFqQsQr9bUGUJdr1C2vuYOZ:FSYdps0tLpz/FmC9UGe1SY6
MD5:	C0339E92AE29035908777C3042A150EC
SHA1:	5FDE3107158C2370AAD4E29D8C31FDAB8CF1A072
SHA-256:	5B30365F76FD3F3F7BD0F2EDBF043FDF2B9FEA47D122197CD8D1CA71B42C822F
SHA-512:	DCE5580D73C048F46E86D617DCB46C8039FA4E5E7741F1D947E9FA398BDEC219D9B281F806C581465F9F3CEF7B86B8123B5EB1296A6FF3D12E0E829282BB9165
Malicious:	false
Preview:	MDMP..a..... ........{.g....................................T....>..........T.......8...........T...........0+..$c......................................................................................................eJ......\|.......GenuineIntel............T.......\....{.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WER946D.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8542
Entropy (8bit):	3.697013693758745
Encrypted:	false
SSDEEP:	192:R6l7wVeJpHz6PN6Y2DRSUnCgmffNtIpDO89btGsfiPm:R6lXJpT6PN6YMSUnCgmfvitlfz
MD5:	C5C7BE733421521387027CF92F9C020E
SHA1:	27E2B2E9F9D2FB14A2677FFE5963E4D69225C8BC
SHA-256:	ABC2C76E191DC48B7B9AAC573B5D733923696D27ACF5DB86514D382ED3CE2215
SHA-512:	9528FCAA46A8901A0B8DE7785A5DC85E540B6116F1E814D45228FA2B5B64BE1A69E5A63E7605D8E5639F51FBBAB92ED33CF0ABE70AB9625132024C2820BE7188
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.5.9.8.0.<./.P.i.

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94CC.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4981
Entropy (8bit):	4.573810169254779
Encrypted:	false
SSDEEP:	48:cvIwWl8zsctJg77aI9wbWpW8VYpYm8M4J3eA+lFax+q8v+A+rsG9KcQIcQd0h02d:uIjfcHI7yq7VpJdxK09Kku62d
MD5:	E6FAF23B81946B9BD5122473970F370D
SHA1:	0C3864F3CE9ABC00F3A63B92BF75DDF0F0E432BD
SHA-256:	6A0167B30ED3F0431226BE8A4CFBC385D0F36AEDCC41B7FBA38EFCA1F76AB5C8
SHA-512:	5BECD6BAA95E9FDAD34BD4A10BE28D5A8B933A4344F3F12FA3EB19E215C024224C3A38B480E2C99E1B67F24588E62C7942505F49A706AD56ED5CD007C9DEF6F4
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="562126" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.465916739794386
Encrypted:	false
SSDEEP:	6144:MzZfpi6ceLPx9skLmb0fBZWSP3aJG8nAgeiJRMMhA2zX4WABluuNLjDH5S:yZHtBZWOKnMM6bFpZj4
MD5:	B8A875F15511F84D9259206C9838D49F
SHA1:	80A45111941C2CC360CBC660508EDCC5CC14E0F2
SHA-256:	BC562AA66C9215F84CC52034FF6D99525E107A83F0FDFEE2E6BC3531008605F1
SHA-512:	4A1FBAF746CD87C246D50B04ABF5CF47A3CE9E8C129B1A84170F7B8A086BC5A2199F2252D7E7717AFF03A10C1AAA8EF0EEAB5F02B1AC9551275E385E30C7FD04
Malicious:	false
Preview:	regfH...H....\.Z.................... ...........\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmr...(..............................................................................................................................................................................................................................................................................................................................................CR..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
File Type:	ASCII text, with no line terminators, with escape sequences
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.689815737418786
Encrypted:	false
SSDEEP:	3:YoRTxCx+q49Vg9ND:5FCxj4M9B
MD5:	4E5EAA5EDD9A5CCC5BA3FBC366C81217
SHA1:	0F4809FE5246C5705941577EAA1BA429A71021F0
SHA-256:	E97F3155C7BB79912EA1DCC882518274A59FEDC7D14E07C60B068B79A79C0E1C
SHA-512:	F5A9B69AD75B0F52B1C857C116D2A8E003F449C51A9D91AEA078B19A25565D186B4B4DE4BD913C5E4BD68BF75CB68B68BBF7F4727F9F8D54DBA8F8541C27C754
Malicious:	false
Preview:	.[38;2;146;79;255m[~].[0m Connecting to the server...

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.657566619637477
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
File size:	1'236'992 bytes
MD5:	992a36edccd6fb4db6aad9c43329cb04
SHA1:	5276588b19a213b10a8c25c6c08e11d4621124d5
SHA256:	b157d6d7519daf5b2ca2b514d6291d3df5c1971884ff429e48045bd7161ca369
SHA512:	666b2936016fca2444d547698e231a938277a1e1c3096ebc8529ecdd6cf8e37a5031d1d59439918ac0eecc83b129f26eaf6bfb9f1f326f0168531d870260c676
SSDEEP:	24576:gu+4D/tSdf1y6zQOC7eZXjPBKZR2xim/KDRzstB:gQtSdflppb0ZRCimiDRYf
TLSH:	8045AE32B681D072E1C601B1606AABF65A7D69345B6188C7B7C06E7DCA203D16F36F1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I6..'e..'e..'e...e..'e..#d..'e.E&d..'e.G.e..'e.G$d..'e.G#d..'e.G"d..'e.G&d..'e..&e<.'e.@.d..'e.@.e..'e...e..'e.@%d..'eRich..'

File Icon


Icon Hash:	0fcd1333134d1f0e

Static PE Info

General

Entrypoint:	0x444756
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A2FDC [Thu Oct 24 11:30:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2e393828d40d2fd8900ef58c7c62e06f

Entrypoint Preview

Instruction
call 00007F8425280D8Ch
jmp 00007F8425280629h
retn 0000h
push ebp
mov ebp, esp
and dword ptr [00506BF8h], 00000000h
sub esp, 28h
or dword ptr [004B9090h], 01h
push 0000000Ah
call dword ptr [004A10F8h]
test eax, eax
je 00007F8425280ABBh
push ebx
push esi
push edi
xor eax, eax
lea edi, dword ptr [ebp-28h]
xor ecx, ecx
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-28h]
mov edi, dword ptr [ebp-24h]
mov dword ptr [ebp-04h], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-1Ch]
xor eax, 49656E69h
mov dword ptr [ebp-18h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 6C65746Eh
mov dword ptr [ebp-14h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-28h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-18h]
or eax, dword ptr [ebp-14h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007F84252807EBh
mov eax, dword ptr [ebp-28h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007F84252807D5h
cmp eax, 00020660h
je 00007F84252807CEh
cmp eax, 00020670h
je 00007F84252807C7h
cmp eax, 00030650h
je 00007F84252807C0h
cmp eax, 00030660h
je 00007F84252807B9h
cmp eax, 00030670h
jne 00007F84252807B9h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5ed8	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x22c20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b000	0x62c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb2180	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb21c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb20c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa1000	0x6b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9f1fc	0x9f200	2786dd19dc325e6ecd53d85610130304	False	0.4886678858994501	data	6.577665712001494	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa1000	0x17c40	0x17e00	bd7fa78785f58d1f0c9c77ec2c095d5f	False	0.3919748036649215	data	5.635575515861512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb9000	0x4e1e8	0x4da00	f8cd3a11456809df1b2f086b21b4eb35	False	0.5262649708132046	data	6.469389322836828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x108000	0x22c20	0x22e00	0f61c35135555a22656b45fbc670384e	False	0.49721382168458783	data	6.06443588461351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12b000	0x62c4	0x6400	5468de62e230485b93ad67b10cc7c1d0	False	0.7203515625	data	6.682852540103243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1081f0	0xa33d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9980138313910359
RT_ICON	0x112530	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	Russian	Russia	0.2503844788832367
RT_ICON	0x122d58	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	Russian	Russia	0.3471894189891356
RT_ICON	0x126f80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	Russian	Russia	0.3970954356846473
RT_ICON	0x129528	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	Russian	Russia	0.48827392120075047
RT_ICON	0x12a5d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	Russian	Russia	0.649822695035461
RT_GROUP_ICON	0x12aa38	0x5a	data	Russian	Russia	0.7666666666666667
RT_MANIFEST	0x12aa98	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
MSVCP140.dll	_Thrd_detach, _Query_perf_counter, _Cnd_do_broadcast_at_thread_exit, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Throw_Cpp_error@std@@YAXH@Z, _Query_perf_frequency, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ??7ios_base@std@@QBE_NXZ, ?getloc@ios_base@std@@QBE?AVlocale@2@XZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z, ?_Syserror_map@std@@YAPBDH@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Winerror_map@std@@YAHH@Z, ?_Xbad_alloc@std@@YAXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?uncaught_exception@std@@YA_NXZ, ??Bid@locale@std@@QAEIXZ, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?good@ios_base@std@@QBE_NXZ, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ??1_Lockit@std@@QAE@XZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?_Xlength_error@std@@YAXPBD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPBD@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??0_Lockit@std@@QAE@H@Z, ?ignore@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
ADVAPI32.dll	CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt, RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, LookupPrivilegeValueW, AdjustTokenPrivileges, CloseServiceHandle, OpenSCManagerW, ControlService, RegOpenKeyExW, RegGetValueW, OpenServiceW, QueryServiceStatusEx, CopySid, IsValidSid, ConvertSidToStringSidW, GetLengthSid, ConvertSidToStringSidA, GetUserNameA, OpenProcessToken, GetTokenInformation
KERNEL32.dll	TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SleepConditionVariableSRW, GetFileSizeEx, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetLocaleInfoEx, FormatMessageA, MultiByteToWideChar, GetFileInformationByHandleEx, EnterCriticalSection, AreFileApisANSI, IsProcessorFeaturePresent, GetFileAttributesExW, FindFirstFileW, FindClose, CreateFileW, CreateDirectoryW, GetCurrentDirectoryW, OpenThread, SetThreadContext, CreateProcessA, IsDebuggerPresent, LeaveCriticalSection, SetEvent, WaitForSingleObject, CreateEventA, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, MoveFileExA, WaitForSingleObjectEx, GetEnvironmentVariableA, GetFileType, ReadFile, PeekNamedPipe, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, SetLastError, FormatMessageW, GetTickCount, WaitForMultipleObjects, SleepEx, WakeAllConditionVariable, VirtualProtect, GetModuleFileNameW, GetModuleHandleA, LoadLibraryW, GetProcAddress, GetModuleHandleW, GetCurrentProcess, CloseHandle, LocalFree, WriteProcessMemory, Sleep, LoadLibraryA, VirtualProtectEx, VirtualAllocEx, ReadProcessMemory, CreateRemoteThread, VirtualFreeEx, GetExitCodeProcess, GetModuleFileNameA, HeapFree, InitializeCriticalSectionEx, HeapSize, GetLastError, HeapReAlloc, CreateThread, HeapAlloc, HeapDestroy, DeleteCriticalSection, GetProcessHeap, WideCharToMultiByte, VirtualFree, GetStdHandle, GetShortPathNameW, SetConsoleMode, VirtualAlloc, Thread32Next, GetEnvironmentVariableW, GetWriteWatch, Thread32First, SuspendThread, HeapWalk, ResumeThread, OpenProcess, GetConsoleMode, GetTickCount64, Process32NextW, CreateFileA, GetCurrentThread, Process32FirstW, RaiseException, GetSystemInfo, GetThreadContext, VerSetConditionMask, GetCurrentProcessId, VerifyVersionInfoW, OutputDebugStringW
USER32.dll	MessageBoxA, FindWindowW
SHELL32.dll	ShellExecuteW, ShellExecuteA
SHLWAPI.dll	PathFindFileNameW
RPCRT4.dll	RpcStringFreeA, UuidToStringA, UuidCreate
USERENV.dll	UnloadUserProfile
VCRUNTIME140.dll	memmove, memcpy, wcsstr, memchr, strstr, __CxxFrameHandler3, __std_exception_destroy, strchr, _except_handler4_common, memset, strrchr, __std_terminate, __current_exception_context, __std_exception_copy, __current_exception, _CxxThrowException
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, fflush, fclose, fputs, _close, __stdio_common_vsscanf, fgetc, __stdio_common_vswprintf, __stdio_common_vfprintf, _fileno, feof, __acrt_iob_func, _lseeki64, fseek, fwrite, ftell, fgetpos, _popen, setvbuf, ungetc, __stdio_common_vsprintf, _write, _read, fgets, fputc, _pclose, fsetpos, fread, _fseeki64, _open, _set_fmode, _get_stream_buffer_pointers, fopen
api-ms-win-crt-filesystem-l1-1-0.dll	_unlink, rename, _access, _lock_file, _unlock_file, _stat64, _fstat64
api-ms-win-crt-string-l1-1-0.dll	strncpy, _strdup, strspn, strcspn, strncmp, strpbrk, strcat_s
api-ms-win-crt-runtime-l1-1-0.dll	_beginthreadex, terminate, _resetstkoflw, _errno, system, __sys_nerr, __sys_errlist, exit, _controlfp_s, _invalid_parameter_noinfo, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, __p___wargv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_wide_environment, _initialize_wide_environment, _configure_wide_argv, abort, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table
api-ms-win-crt-heap-l1-1-0.dll	calloc, _recalloc, _callnewh, realloc, free, malloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dsign, _fdopen, _dclass
api-ms-win-crt-convert-l1-1-0.dll	strtoul, atoi, strtol, strtoull, strtoll, strtod, wcstombs
api-ms-win-crt-time-l1-1-0.dll	_time64, strftime, _localtime64, _localtime64_s, _gmtime64
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, localeconv, ___lc_codepage_func
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-utility-l1-1-0.dll	qsort, srand, rand
bcrypt.dll	BCryptGenRandom
Normaliz.dll	IdnToAscii, IdnToUnicode
WLDAP32.dll
CRYPT32.dll	CertOpenStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CryptStringToBinaryA, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertCloseStore
WS2_32.dll	send, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, closesocket, WSASetLastError, WSAGetLastError, ntohs, WSAStartup, WSACleanup, setsockopt, WSAIoctl, htons, getsockopt, socket, __WSAFDIsSet, select, accept, bind, connect, getsockname, htonl, listen, recv, getaddrinfo, freeaddrinfo, recvfrom, sendto, getpeername, ioctlsocket, gethostname

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:43:41.447643042 CET	49712	443	192.168.2.6	104.26.1.5
Oct 27, 2024 18:43:41.447743893 CET	443	49712	104.26.1.5	192.168.2.6
Oct 27, 2024 18:43:41.447946072 CET	49712	443	192.168.2.6	104.26.1.5
Oct 27, 2024 18:43:41.458570957 CET	49712	443	192.168.2.6	104.26.1.5
Oct 27, 2024 18:43:41.458609104 CET	443	49712	104.26.1.5	192.168.2.6
Oct 27, 2024 18:43:42.089050055 CET	443	49712	104.26.1.5	192.168.2.6
Oct 27, 2024 18:43:42.089118958 CET	49712	443	192.168.2.6	104.26.1.5
Oct 27, 2024 18:43:42.098361015 CET	49712	443	192.168.2.6	104.26.1.5
Oct 27, 2024 18:43:42.098408937 CET	443	49712	104.26.1.5	192.168.2.6
Oct 27, 2024 18:43:42.098529100 CET	49712	443	192.168.2.6	104.26.1.5
Oct 27, 2024 18:43:42.098546028 CET	443	49712	104.26.1.5	192.168.2.6
Oct 27, 2024 18:43:42.098632097 CET	49712	443	192.168.2.6	104.26.1.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:43:41.436001062 CET	52226	53	192.168.2.6	1.1.1.1
Oct 27, 2024 18:43:41.444333076 CET	53	52226	1.1.1.1	192.168.2.6

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 18:43:41.436001062 CET	192.168.2.6	1.1.1.1	0xa2f4	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 18:43:41.444333076 CET	1.1.1.1	192.168.2.6	0xa2f4	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:43:41.444333076 CET	1.1.1.1	192.168.2.6	0xa2f4	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:43:41.444333076 CET	1.1.1.1	192.168.2.6	0xa2f4	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:43:37
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe"
Imagebase:	0xe20000
File size:	1'236'992 bytes
MD5 hash:	992A36EDCCD6FB4DB6AAD9C43329CB04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:43:37
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:43:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:43:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:43:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit):	true
Commandline:	certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5
Imagebase:	0x7f0000
File size:	1'277'440 bytes
MD5 hash:	0DDA4F16AE041578B4E250AE12E06EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:43:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /i /v "md5"
Imagebase:	0x120000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:43:39
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /i /v "certutil"
Imagebase:	0x120000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:43:40
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:43:40
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0x1c0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:43:40
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff66e660000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:43:41
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0x690000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:43:41
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 5980 -s 1104
Imagebase:	0x8e0000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.4%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	22.8%
Total number of Nodes:	2000
Total number of Limit Nodes:	46

Executed Functions

Function 00E321F0 Relevance: 74.0, APIs: 37, Strings: 4, Instructions: 2272windowsleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,00E3DA40,00000000,00000000,00000000), ref: 00E3225B
UuidCreate.RPCRT4(?), ref: 00E322AF
UuidToStringA.RPCRT4(?,?), ref: 00E322CD
RpcStringFreeA.RPCRT4(00000000), ref: 00E322FF

Part of subcall function 00E3F790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,00E324D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 00E3F7CF

Part of subcall function 00E34960: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,8E857614,?,?,?,?,?,?,?,?,DDCCC48D), ref: 00E34A4C

memmove.VCRUNTIME140(00000000,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E3295D
memmove.VCRUNTIME140(00000000,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E32A61
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00E33003
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E3300B
memset.VCRUNTIME140(?,00000000,000000B8,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E3301F
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E3303F
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E33064
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E3309E
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E330C2

Part of subcall function 00E410E0: ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000001,?,00000040,8E857614,?,?,?,00E33106,?,00000001,00000000,?,?,?,?,?), ref: 00E41120
Part of subcall function 00E410E0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,00E33106,?,00000001,00000000,?,?,?,?,?,?,00000000,?), ref: 00E4113D
Part of subcall function 00E410E0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,?), ref: 00E41165
Part of subcall function 00E410E0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00E33106,?,00000001,00000000,?,?), ref: 00E411AA
Part of subcall function 00E410E0: ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,?,?,?,00E33106,?,00000001), ref: 00E411C2

fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E3331B

Part of subcall function 00E43770: memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 00E4382F
Part of subcall function 00E43770: memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 00E43840

MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00E338F3
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 00E338FB
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,00000001,00000000,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000), ref: 00E3311D

Part of subcall function 00E41260: memmove.VCRUNTIME140(?,?,00E3AFF8,00000000,?,?,00E3AFF8,?,?), ref: 00E4128D

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000000A,?,00000001,00000000,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E331A6
_popen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00ECFB2C,?,?,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 00E3329C
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 00E332D0
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,?,DDDEC9C6,?,00000001), ref: 00E33A56
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 00E33A78
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 00E33A9A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 00E33AD4
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(00E2F740), ref: 00E33B93
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(00000001,00000002,00000000), ref: 00E33BB0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000), ref: 00E33BD8
Sleep.KERNEL32(00000064,?,FDDAC9C5,?,00000001,?,CDCED9D8,?,00000001,00000000,?,message,success,?), ref: 00E33F34
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,DDDEC9C6,?,00000001,CFDBC2C2,?,?,?), ref: 00E34182
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?), ref: 00E3418E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E3434F
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00E3468C
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 00E346C9
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,00000000,00000001,?,?,?,?,00000001,?,?), ref: 00E346D1
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 00E3475D
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 00E34765
_CxxThrowException.VCRUNTIME140(?,00ED5DA0,?,?), ref: 00E347B4

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00E33CD9
message, xrefs: 00E33D20
certutil -hashfile ", xrefs: 00E33219
success, xrefs: 00E33D04

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$memmove$Messageexit$??0?$basic_ios@??0?$basic_streambuf@??6?$basic_ostream@CreateInit@?$basic_streambuf@StringUuidV01@V?$basic_streambuf@_invalid_parameter_noinfo_noreturnfgetsmemset$??0?$basic_iostream@??0?$basic_istream@??1?$basic_ios@??1?$basic_iostream@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@?setw@std@@?widen@?$basic_ios@D@std@@@1@@D@std@@@1@_ExceptionExecuteFiopen@std@@FreeJ@1@_ShellSleepSmanip@_ThreadThrowU?$_U_iobuf@@V21@@Vios_base@1@Vlocale@2@_get_stream_buffer_pointers_popen
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $certutil -hashfile "$message$success
API String ID: 1436105476-171691153
Opcode ID: dd6a619e288d55e4b19e7c8517cd37319a4631d4d8f7bb8bd3e04bfc60830ec8
Instruction ID: 7cc53e61041e34106e4179a93caca00fdbe3acdd24f97dce85c5a9496fe266b7
Opcode Fuzzy Hash: dd6a619e288d55e4b19e7c8517cd37319a4631d4d8f7bb8bd3e04bfc60830ec8
Instruction Fuzzy Hash: A633ABB0D002588BDB29CB24DC88BEDBBB5AF55304F1492D9E449B7292DB756BC8CF50

Function 00E4EDB0 Relevance: 62.1, APIs: 27, Strings: 8, Instructions: 881
memorylibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,NtSetInformationThread), ref: 00E4EDDC
GetProcAddress.KERNEL32(00000000), ref: 00E4EDE3
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000), ref: 00E4EDF5
VirtualAlloc.KERNELBASE(00000000,00004000,00003000,00000004,?,?), ref: 00E4EEF9
VirtualAlloc.KERNELBASE(00000000,01000000,00203000,00000004), ref: 00E4EF13
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 00E4EF2A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 00E4EF4E
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 00E4EF6A
GetEnvironmentVariableW.KERNEL32(?,?,00000104), ref: 00E4F2CF
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 00E4F2F1
GetCurrentProcess.KERNEL32(00000001), ref: 00E4F2FF
NtTerminateProcess.NTDLL(00000000), ref: 00E4F306
GetWriteWatch.KERNELBASE(00000000,00000000,00001000,00000000,?), ref: 00E4F3A3
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00E4F3BE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 00E4F3C8
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 00E4F4B1
LoadLibraryA.KERNEL32(?,?,?,?,00000000), ref: 00E4F6F1
GetProcAddress.KERNEL32(00000000,CsrGetProcessId), ref: 00E4F701
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 00E4F715
CloseHandle.KERNEL32(00000000), ref: 00E4F720
CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 00E4F9FD
CloseHandle.KERNELBASE(00000000), ref: 00E4FA0D
GetProcessHeap.KERNEL32(?,?,?), ref: 00E4FB58
HeapWalk.KERNEL32(00000000), ref: 00E4FB5F
memset.VCRUNTIME140(?,00000000,000002C8,?,?,?,?,?,?), ref: 00E5017D
GetCurrentThread.KERNEL32 ref: 00E50190
GetThreadContext.KERNEL32(00000000,00010010), ref: 00E5019F

Strings

CsrGetProcessId, xrefs: 00E4F6FB
>jL", xrefs: 00E4EF8E
d, xrefs: 00E4F340
P-8w, xrefs: 00E4F2F7
NtSetInformationThread, xrefs: 00E4EDCC
ntdll.dll, xrefs: 00E4EDD3
Rj@", xrefs: 00E4F1F0
RPsu, xrefs: 00E4F826

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$HandleProcess$FreeModuleThread$AddressAllocCloseCurrentFileHeapNameProc$ContextCreateEnvironmentExecuteInformationLibraryLoadOpenPathShellShortTerminateVariableWalkWatchWritememset
String ID: >jL"$CsrGetProcessId$NtSetInformationThread$P-8w$RPsu$Rj@"$d$ntdll.dll
API String ID: 2524847058-2986773690
Opcode ID: 5809e3ab5b0877bab92faded9cc705db7bf5c332436655a326d6ccc17d9e1199
Instruction ID: ecef63290d61dc0cab95b283ba5aa9645289fafe8d66ede656a6a54fcc02457d
Opcode Fuzzy Hash: 5809e3ab5b0877bab92faded9cc705db7bf5c332436655a326d6ccc17d9e1199
Instruction Fuzzy Hash: 78B2EDB46093808BD739CF28D484BEABBE5BF89304F005A1DE9DDA7351EB705A45CB46

Function 00E51670 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 264
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?), ref: 00E51816
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 00E51824
LoadLibraryW.KERNELBASE(?), ref: 00E5187E
GetProcAddress.KERNEL32(00000000,00ED16A4), ref: 00E51897
GetModuleHandleA.KERNEL32(00000000), ref: 00E518AD
wcsstr.VCRUNTIME140(00000000,?), ref: 00E51907
wcsstr.VCRUNTIME140(3545065E,?), ref: 00E5195B
VirtualProtectEx.KERNEL32(?,00000000,00000000,00000040,3545065E), ref: 00E51980
WriteProcessMemory.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 00E51999
VirtualProtectEx.KERNEL32(?,00000000,00000000,3545065E,00000000), ref: 00E519B7
CloseHandle.KERNELBASE(?), ref: 00E519D2

Strings

][B, xrefs: 00E516E7

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Process$HandleProtectVirtualwcsstr$AddressCloseCurrentLibraryLoadMemoryModuleOpenProcWrite
String ID: ][B
API String ID: 1383684886-3797712168
Opcode ID: 437c1e043aa669aaf04042472a6fe19297fe9887a92d76478f90067b70653bce
Instruction ID: 3a60a4b9b0090894521443cc0228486e9869c918a2dca199eaf84313a9145022
Opcode Fuzzy Hash: 437c1e043aa669aaf04042472a6fe19297fe9887a92d76478f90067b70653bce
Instruction Fuzzy Hash: A7C11575D00219AFCB14DFA9E840AAEFBB1FF49300F0485AAE825B7350E7756A06DF50

Function 00E6C150 Relevance: 18.5, APIs: 12, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7fcebc6865cfd13e296520dcc37794275437d20b7ba85b7fb5c04ef327872355
Instruction ID: 4a95a2abd2b441cafce40b2e97d3255ddd974aef451f39487eb4a4e4523ae74f
Opcode Fuzzy Hash: 7fcebc6865cfd13e296520dcc37794275437d20b7ba85b7fb5c04ef327872355
Instruction Fuzzy Hash: 0E129A706483419FD720CF65E880B7ABBE4BF88348F54682EF9D9A7251E734E844CB52

Function 00E8D550 Relevance: 12.3, APIs: 8, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00002726,?), ref: 00E8D5BB
WSASetLastError.WS2_32(00002726), ref: 00E8D73C
select.WS2_32(?,?,?,?,00000000), ref: 00E8D7B4
WSAGetLastError.WS2_32(?,?), ref: 00E8D7C5
__WSAFDIsSet.WS2_32(?,?), ref: 00E8D807
__WSAFDIsSet.WS2_32(?,?), ref: 00E8D845
__WSAFDIsSet.WS2_32(?,?), ref: 00E8D863
Sleep.KERNEL32(FFFFFFFE), ref: 00E8D8C0

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$Sleepselect
String ID:
API String ID: 2806104629-0
Opcode ID: 8827772b4ab1dbe8fd82914c0410c42338e177bc16392761221982a1474fa915
Instruction ID: 7e01ec61aa523c5a8c864ab7186ce5b31f4319aba9df0edb05ad41c65467875f
Opcode Fuzzy Hash: 8827772b4ab1dbe8fd82914c0410c42338e177bc16392761221982a1474fa915
Instruction Fuzzy Hash: 0FA181705083458BD739AF29DC956AEB3E5FF88318F54192EE89DE21D0EB35C940CB52

Function 00E3A610 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 428
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E64E80: AcquireSRWLockExclusive.KERNEL32(00F26C18,?,00E32662,?,?,00000000,00000000,?,?,0000000F,00000000,00000000), ref: 00E64E86
Part of subcall function 00E64E80: ReleaseSRWLockExclusive.KERNEL32(00F26C18,00000000,00000000), ref: 00E64EAA

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3A731
strstr.VCRUNTIME140(00000000,?), ref: 00E3AA0D
strstr.VCRUNTIME140(00000000,89D9C9E7), ref: 00E3AA43

Strings

keyauth.win, xrefs: 00E3A791
b7, xrefs: 00E3A7C1, 00E3A7C8, 00E3A8AE, 00E3ABBE, 00E3A6C5, 00E3A7CC, 00E3A8B3

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExclusiveLockstrstr$AcquireRelease_invalid_parameter_noinfo_noreturn
String ID: b7$keyauth.win
API String ID: 3875448324-862066459
Opcode ID: 6e27c9b728611e52f9ebac59f374b529db460e32f78a72ad1b81db7012f210eb
Instruction ID: ed75070b0562f66e4da60aaae1146ee9bc2991f83ff78194d27edba6539c3229
Opcode Fuzzy Hash: 6e27c9b728611e52f9ebac59f374b529db460e32f78a72ad1b81db7012f210eb
Instruction Fuzzy Hash: 6CF13471C102488BDB01DF78DC867ADBBB5EF56344F189369E8447B242E771AAC9CB81

Function 00E50910 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 271librarymemoryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 00E50A46
GetProcAddress.KERNEL32(00000000,?), ref: 00E50ACF
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 00E50B03
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00E50CDE

Strings

UjJ", xrefs: 00E50B40

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AddressAllocFreeLibraryLoadProc
String ID: UjJ"
API String ID: 3087743119-1193379857
Opcode ID: 915a2a38cf17948d8196f37cca8cc1e6aef4dab5a471fc67c44634ce1b992432
Instruction ID: 57b28d2c4688604ea621aa1b2652200c81ca6a1515ae82cc57174c3d673cfb8c
Opcode Fuzzy Hash: 915a2a38cf17948d8196f37cca8cc1e6aef4dab5a471fc67c44634ce1b992432
Instruction Fuzzy Hash: 6AD1DFB4E042199BDB15CF98D881AEEFBB1FF09310F148699E969BB340E7306A45CF54

Function 00E50E60 Relevance: 4.6, APIs: 3, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,00000000,?,?,?,8E857614,?,?), ref: 00E50F12
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 00E50F25
VirtualProtect.KERNELBASE(00000000,?,00000140,00000000), ref: 00E50F58

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocInfoProtectSystem
String ID:
API String ID: 284756817-0
Opcode ID: 30b95856fb558738372c9b5d77889f20ffc6aaba82548cf0065c38d2601b84f4
Instruction ID: 84db63e9cc7e57bea8966cc65a0e768ca40984ce79cd6d3eef33583098599a15
Opcode Fuzzy Hash: 30b95856fb558738372c9b5d77889f20ffc6aaba82548cf0065c38d2601b84f4
Instruction Fuzzy Hash: 5F4179B1E04248AFCB14CFF9D881BEEBBF4EB09700F10862AE915F7281E6345805CB60

Function 00E7F5C0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 188
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 00E7F5E8
WSACleanup.WS2_32 ref: 00E7F601
GetModuleHandleA.KERNEL32(kernel32,?,00000000), ref: 00E7F638
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00E7F65C
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(iphlpapi.dll,00EC5864,?,?,00000000), ref: 00E7F66A
LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 00E7F692
GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 00E7F6A9
LoadLibraryExA.KERNELBASE(iphlpapi.dll,00000000,00000800), ref: 00E7F6BB
GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 00E7F6C8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000D), ref: 00E7F6DE
GetSystemDirectoryA.KERNEL32(00000000,?), ref: 00E7F6F2
LoadLibraryA.KERNEL32(00000000), ref: 00E7F74B
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E7F754
GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 00E7F76E
GetModuleHandleA.KERNEL32(ws2_32), ref: 00E7F786
GetProcAddress.KERNEL32(00000000,FreeAddrInfoExW), ref: 00E7F798
GetProcAddress.KERNEL32(00000000,GetAddrInfoExCancel), ref: 00E7F7A5
GetProcAddress.KERNEL32(00000000,GetAddrInfoExW), ref: 00E7F7B2
QueryPerformanceFrequency.KERNEL32(00F271E0), ref: 00E7F7F1

Strings

FreeAddrInfoExW, xrefs: 00E7F792
LoadLibraryExA, xrefs: 00E7F656
GetAddrInfoExCancel, xrefs: 00E7F79A
if_nametoindex, xrefs: 00E7F768
GetAddrInfoExW, xrefs: 00E7F7A7
iphlpapi.dll, xrefs: 00E7F663, 00E7F67F, 00E7F68D, 00E7F6B6, 00E7F721
AddDllDirectory, xrefs: 00E7F6A3
kernel32, xrefs: 00E7F631
ws2_32, xrefs: 00E7F781

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectoryHandleModuleSystem$CleanupFrequencyPerformanceQueryStartupfreemallocstrpbrk
String ID: AddDllDirectory$FreeAddrInfoExW$GetAddrInfoExCancel$GetAddrInfoExW$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32$ws2_32
API String ID: 2955908671-760012282
Opcode ID: 10c19a38d177a6da474a92aa9a2424f01fc8f362558c3b79450d3f627beca3f9
Instruction ID: 37b14ac93daf1a02aba0702a23347fb7242ce9a8644f9dbd0f13903720ce6876
Opcode Fuzzy Hash: 10c19a38d177a6da474a92aa9a2424f01fc8f362558c3b79450d3f627beca3f9
Instruction Fuzzy Hash: 44518A31744301AFE7245B71AC46F6A3794AF42B09F08907EF909B7292EFA2D8078791

Function 00E51000 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 304
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140(?,00000000,000000FF,?,?,?,?), ref: 00E511F1
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000,?,?,?), ref: 00E5121E
RegGetValueW.KERNELBASE(00000000,00000000,SystemManufacturer,00000002,00000000,?,000000FF), ref: 00E51249
memset.VCRUNTIME140(?,00000000,000000FF), ref: 00E512A5
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000), ref: 00E512CC
RegGetValueW.KERNELBASE(00000000,00000000,BIOSVendor,00000002,00000000,?,000000FF), ref: 00E512F1
memset.VCRUNTIME140(?,00000000,000000FF), ref: 00E51347
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000), ref: 00E5136E
RegGetValueW.KERNELBASE(00000000,00000000,SystemFamily,00000002,00000000,?,000000FF), ref: 00E51393
memset.VCRUNTIME140(?,00000000,000000FF), ref: 00E513E9
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000), ref: 00E51410
RegGetValueW.KERNELBASE(00000000,00000000,SystemProductName,00000002,00000000,?,000000FF), ref: 00E51435

Strings

SystemManufacturer, xrefs: 00E5123C
Virtual Machine, xrefs: 00E51399, 00E5143B
SYSTEM\HardwareConfig\Current\, xrefs: 00E51214, 00E512C2, 00E51364, 00E51406
SystemProductName, xrefs: 00E51428
SystemFamily, xrefs: 00E51386
Microsoft Corporation, xrefs: 00E5124F, 00E512F7
BIOSVendor, xrefs: 00E512E4

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: OpenValuememset
String ID: BIOSVendor$Microsoft Corporation$SYSTEM\HardwareConfig\Current\$SystemFamily$SystemManufacturer$SystemProductName$Virtual Machine
API String ID: 1838555039-2738853297
Opcode ID: 433201e77d1e0f9e6f9f64c84617f74a3ea89075760ec9dcc2ed2b1e7eacd555
Instruction ID: 09dc71e1158697b3010b967b9fa5e3a330715515a745952ca6b6a80f5e3cbd62
Opcode Fuzzy Hash: 433201e77d1e0f9e6f9f64c84617f74a3ea89075760ec9dcc2ed2b1e7eacd555
Instruction Fuzzy Hash: 93C18EF490021C9ADB308F108C91BE9B7B9AF05748F0455E9DB48B7282E7719EC9CF19

Function 00E7F410 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 148
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,00EB0B8D,security.dll,00000004,00000000,00000000,00000002,00000002,00E7F626), ref: 00E7F41A
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 00E7F432
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00EC5864,?,?,?,security.dll,00EB0B8D,security.dll,00000004,00000000,00000000,00000002,00000002,00E7F626), ref: 00E7F444

Strings

LoadLibraryExA, xrefs: 00E7F42C
security.dll, xrefs: 00E7F410
AddDllDirectory, xrefs: 00E7F477
kernel32, xrefs: 00E7F413

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32$security.dll
API String ID: 27745253-2138446276
Opcode ID: 305ebce49932d77c8c31d678431a2341d22843d9f628e26db91da8b33bc0c961
Instruction ID: 387443c7da7ec11a5bee598019d1ca93cdc3bdaf02c94de019249f07e8774bce
Opcode Fuzzy Hash: 305ebce49932d77c8c31d678431a2341d22843d9f628e26db91da8b33bc0c961
Instruction Fuzzy Hash: BD412A773053005FEB141F79BC44BBA7759DF8232AF28907EEA46A6142EF67D80B4660

Function 00E52010 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 423
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,8E857614,-00000001,C8593A89), ref: 00E5205F
memset.VCRUNTIME140(?,00000000,00000100,?,?), ref: 00E520EF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 00E5222E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 00E52278
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00E522B0
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 00E522DE
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 00E522EE
rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 00E5258C
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 00E525B0
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000014,.exe), ref: 00E525F9
rename.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 00E5261B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E526DD

Strings

.exe, xrefs: 00E525E9

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide_invalid_parameter_noinfo_noreturnrand$FileModuleName_time64memsetrenamesrandstrcat_s
String ID: .exe
API String ID: 187646111-4119554291
Opcode ID: 43a1b49459cce4d10bc78d74b8e018ba69f57f0f9be71e7b9d0d1b1543b9d6fa
Instruction ID: 9e3a8f9ed008079bef2e12d691ee45661c74e393605f4ef9da6a87d67ff3081e
Opcode Fuzzy Hash: 43a1b49459cce4d10bc78d74b8e018ba69f57f0f9be71e7b9d0d1b1543b9d6fa
Instruction Fuzzy Hash: 821248709052288BDB26CF28DD99BA9B7B8EB45304F1006D9E94DB7290DBB16FC5CF40

Function 00E6F230 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,000006DC,?,00000000,00000088,00E76784,00000000), ref: 00E6F6F0
LeaveCriticalSection.KERNEL32(?,?,00000000,00000088,00E76784,00000000), ref: 00E6F703
CloseHandle.KERNEL32(00000000,?,00000000,00000088,00E76784,00000000), ref: 00E6F714
GetAddrInfoExCancel.WS2_32(?), ref: 00E6F731
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000088,00E76784,00000000), ref: 00E6F73B
CloseHandle.KERNELBASE(?,?,00000000,00000088,00E76784,00000000), ref: 00E6F743
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000088,00E76784,00000000), ref: 00E6F767
closesocket.WS2_32(?), ref: 00E6F77E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000088,00E76784,00000000), ref: 00E6F78F

Strings

4, xrefs: 00E6F230

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalHandleSectionfree$AddrCancelEnterInfoLeaveObjectSingleWaitclosesocket
String ID: 4
API String ID: 3257786090-2200918444
Opcode ID: 45e62b3b33bf1ad52ec154039b2d0a9393ba449b80f43f6c340c9a2d141caa8f
Instruction ID: 023bca9cbd23a90ebb699eaed9a610d6c52ec026199ad5609512014367bd5561
Opcode Fuzzy Hash: 45e62b3b33bf1ad52ec154039b2d0a9393ba449b80f43f6c340c9a2d141caa8f
Instruction Fuzzy Hash: F321BE75451202EFCB00AF61FD48A86BBB8FF05396F041031FA19A2122D732F869DBE1

Function 00E3AE00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,8E857614,?,?), ref: 00E3AE67
_popen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00ECFB2C,?), ref: 00E3AF89
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,00000000), ref: 00E3AFC1
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,00000000,?,?), ref: 00E3B005
_pclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00E3B01A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3B0DA
_CxxThrowException.VCRUNTIME140(?,00ED5DA0,?,?), ref: 00E3B153

Strings

certutil -hashfile ", xrefs: 00E3AEE5

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: fgets$ExceptionFileModuleNameThrow_invalid_parameter_noinfo_noreturn_pclose_popen
String ID: certutil -hashfile "
API String ID: 3145020836-3987956816
Opcode ID: 305a4bd7f12c3c38c3393adf8d7c3b9475229bb123974c89c7630bc9a080c7ab
Instruction ID: 2a57b80c8d47719e18acf8e5106a37dd855d4fb60d5281c2154038451909492e
Opcode Fuzzy Hash: 305a4bd7f12c3c38c3393adf8d7c3b9475229bb123974c89c7630bc9a080c7ab
Instruction Fuzzy Hash: 9591C070D012188BDB24CB24DD48BEABBB4EF55304F1492D9E859B7292EB715BC8CF50

Function 00E52720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E2DEC0: memchr.VCRUNTIME140 ref: 00E2DF08
Part of subcall function 00E2DEC0: memchr.VCRUNTIME140(00000001,?,?), ref: 00E2DF8B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,8E857614,?,00000001), ref: 00E52913

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000092,?,8E857614,?,00000001), ref: 00E5283E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(0000004F), ref: 00E52854
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(000000FF), ref: 00E5286D
memmove.VCRUNTIME140(?,?,?), ref: 00E528C3

Strings

[~], xrefs: 00E52781, 00E52885

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@$memchrmemmove$_invalid_parameter_noinfo_noreturn
String ID: [~]
API String ID: 476110309-1003381106
Opcode ID: e33b9abf1a3f2ed7e2b7ab2dd02c208a705ff645fa8ebe8eda4115ad2acd3905
Instruction ID: fb4fe58f44c19e45ecdd2003eda14855799b0583cfc701189c40698632bd6343
Opcode Fuzzy Hash: e33b9abf1a3f2ed7e2b7ab2dd02c208a705ff645fa8ebe8eda4115ad2acd3905
Instruction Fuzzy Hash: 1951C475E00108AFCF08DBA4E885AEEB7F5EF89300F10962DE91677785D7306946DB91

Function 00E3AC20 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 00E43770: memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 00E4382F
Part of subcall function 00E43770: memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 00E43840

memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3ACC1
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3AD26
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3AD97
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3ADD1

Strings

start cmd /C "color b && title Error && echo , xrefs: 00E3AC83
&& timeout /t 5", xrefs: 00E3ACA4

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn$system
String ID: && timeout /t 5"$start cmd /C "color b && title Error && echo
API String ID: 914278256-3357973498
Opcode ID: 22efb2cfb79180b27f0a054ceb19215b76ae11c6ce0b3ae8a30f9132449ae501
Instruction ID: 0305bf86f9b158553ae7e5ef1c0a3c04eeed1142baadf945ecb71e82d9d793a9
Opcode Fuzzy Hash: 22efb2cfb79180b27f0a054ceb19215b76ae11c6ce0b3ae8a30f9132449ae501
Instruction Fuzzy Hash: 03510871D002049FDB08CF68DD89BEEBBB1EF45304F248269E551B7692D774AE81CB91

Function 00E22A50 Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,8E857614), ref: 00E22B28
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,8E857614), ref: 00E22B54
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,8E857614), ref: 00E22B7E
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,8E857614), ref: 00E22BE6
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,8E857614), ref: 00E22BEC
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,8E857614), ref: 00E22BF9

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@
String ID:
API String ID: 3901553425-0
Opcode ID: 7db2e0a6495e2706094918cba9b0aa8be463bab79ffaaacd5dbc30ec7a50b1da
Instruction ID: bacd69ed778108540459f997770a1b1abedc1415b4cf20dc82b39a12d8cf176b
Opcode Fuzzy Hash: 7db2e0a6495e2706094918cba9b0aa8be463bab79ffaaacd5dbc30ec7a50b1da
Instruction Fuzzy Hash: 91516D75A005149FCB14CF68D984BA9BBF0FF49718F29529CE916BB3A2D731AC01CB54

Function 00E76DB0 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000E08,?,00E64EC8,00000000,?,00E32662,?,?,00000000,00000000,?,?,0000000F,00000000,00000000), ref: 00E76DB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000,00000000), ref: 00E76DEA

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 3aca59ee2673ecfcda89a600b00168f51a47b1482089fe31183582bfccdb8821
Instruction ID: 2d0a5d7550d0da372b39783f9b198bee4608bb8b0a34f7110b97fa88dc59d613
Opcode Fuzzy Hash: 3aca59ee2673ecfcda89a600b00168f51a47b1482089fe31183582bfccdb8821
Instruction Fuzzy Hash: C6610AB0205B42AEE3599F38D849BC6FBA5BB41328F144319E57C5B2D1C7B62079CBD1

Function 00EB0B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00EB0760: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo), ref: 00EB078E
Part of subcall function 00EB0760: GetProcAddress.KERNEL32(00000000), ref: 00EB0795

Part of subcall function 00E7F410: GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,00EB0B8D,security.dll,00000004,00000000,00000000,00000002,00000002,00E7F626), ref: 00E7F41A

GetProcAddress.KERNELBASE(00000000,InitSecurityInterfaceA), ref: 00EB0B9F

Strings

InitSecurityInterfaceA, xrefs: 00EB0B99
secur32.dll, xrefs: 00EB0B7A
security.dll, xrefs: 00EB0B7F, 00EB0B87

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: 2b534a3ac68ae4d09a2e3f3d872398ebca9d77bc4d55a429ce727fb2a1174a2c
Instruction ID: d572fb15471f926cb99bd1f1672598c69d6c477bad3d15a4a5a44c80839892a0
Opcode Fuzzy Hash: 2b534a3ac68ae4d09a2e3f3d872398ebca9d77bc4d55a429ce727fb2a1174a2c
Instruction Fuzzy Hash: CBF06C707403066BEF2457355C57F6B31C59BC0708FA454BD7A0AF61C5EAB6DD029650

Function 00E501F0 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,?), ref: 00E50355
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 00E50546

Part of subcall function 00E4E2F0: GetLastError.KERNEL32(?,00000000,00000000), ref: 00E4E3DB

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 00E50571
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 00E50592

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$ErrorFindLastWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3421515688-0
Opcode ID: ce3e084ef35438faa9ca63fb798d6a8b6bb7d2e0e09eff231267f70b0011c1a9
Instruction ID: 032c4dd67b4da39d6a88f5d39459e63754f39bb14c6b2b28c1d6ff3ececf8451
Opcode Fuzzy Hash: ce3e084ef35438faa9ca63fb798d6a8b6bb7d2e0e09eff231267f70b0011c1a9
Instruction Fuzzy Hash: 81D1F1B4D042598BCB18CFA8D981AEEBBB1FF49314F204159E949B7340E7306A85CFA1

Function 00E21390 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00043470,00000000,00000000,?,00000008,?,?,8E857614), ref: 00E21499
_Thrd_detach.MSVCP140(00000000,?), ref: 00E214B6
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 00E214EE
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000006), ref: 00E214FD

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Thrd_detach_beginthreadex
String ID:
API String ID: 1544947071-0
Opcode ID: 7fb49f449916620f7f2c2d1d434ddd11ae8d8fde2a48d2adfd8fc8692eb5dd88
Instruction ID: bb9539efaeff68d07f083e1db7af6612fb8c4b61bfbde4b6d47c2b926a6cf10f
Opcode Fuzzy Hash: 7fb49f449916620f7f2c2d1d434ddd11ae8d8fde2a48d2adfd8fc8692eb5dd88
Instruction Fuzzy Hash: 514147B4E04248DFDB05DFA8E845BEEBBB4FF08304F104169E815B7391EB756A058B64

Function 00E63330 Relevance: 6.1, APIs: 4, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E4EAB0: _Query_perf_frequency.MSVCP140 ref: 00E4EABE
Part of subcall function 00E4EAB0: _Query_perf_counter.MSVCP140 ref: 00E4EACA

Sleep.KERNEL32(05265C00,00000000,00000000,?,000F4240,00000000,?,?,000F4240,00000000,?,?,?), ref: 00E63380
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E63393
Sleep.KERNEL32(-00000001,00000000,?,000F4240,00000000,?,?,000F4240,00000000,?,?,?,?,?,?,00E6320F), ref: 00E633C4
Sleep.KERNEL32(00000000,00000000,?,000F4240,00000000,?,?,000F4240,00000000,?,?,?,?,?,?,00E6320F), ref: 00E633D8

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequencyUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 182150864-0
Opcode ID: 3bc39f83053371da1cf298b239eab178a657e5001cec86fc7dcc09f6f10265d3
Instruction ID: 425b071bb7a1ce8c4ab9d2d26e9b5906d7a332bd8ca1c5cba9d04daf4a413eee
Opcode Fuzzy Hash: 3bc39f83053371da1cf298b239eab178a657e5001cec86fc7dcc09f6f10265d3
Instruction Fuzzy Hash: 45116331FC4208ABDB14EBB9A8C1AAEB3B4EB54744F102065F620F7352DA70AF444755

Function 00E51E40 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(40010005,00000000,00000000,00000000,?,?,8E857614,?,?), ref: 00E51FA8

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 91d10146cf57147e7acfd8892ed0e96c1f0319a2abbeac89c3405e1d6b3dd99a
Instruction ID: db6f4a0b3b44c6500341ef74badae529f6bd3b9d274db9eada67f896fab65dbf
Opcode Fuzzy Hash: 91d10146cf57147e7acfd8892ed0e96c1f0319a2abbeac89c3405e1d6b3dd99a
Instruction Fuzzy Hash: 4251DEB4D042489BCB14CFA8D981ADDBBF4FF08320F245269E819BB350E7716A45CF68

Function 00E634D0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 00E6350C

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: 9aa496a4fa47f4649411d94625ac6f410bd281405fde0a19277ef158a0440c8e
Instruction ID: d2b60f1b188900fc911f6d9defabe3fe50e4f4b9d55675212f27ec63cfc95cf2
Opcode Fuzzy Hash: 9aa496a4fa47f4649411d94625ac6f410bd281405fde0a19277ef158a0440c8e
Instruction Fuzzy Hash: 48F031759441099FCB04DFA8ED41BAAB7B4FB04714F10456AE815E7391DB356A05CB50

Function 00E63470 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140(?,?,Function_0009D160,000000FF), ref: 00E6349D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: 45d633329d3625a685a96a518ecd143a60a60a0ddfbf8857d78a352551e7fde3
Instruction ID: 8499851d4d45dd2e24a4ed391c3bdb0b0c37a1bc8498ad8fcc67899fa2be102c
Opcode Fuzzy Hash: 45d633329d3625a685a96a518ecd143a60a60a0ddfbf8857d78a352551e7fde3
Instruction Fuzzy Hash: B1F0AE36A45A549FC311DF59DC01F96B3E8FB09B10F00852AFD11E3780DB356D0486D0

Function 00E50D10 Relevance: 1.3, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(DEADBEEF,?,?,8E857614,?,?), ref: 00E50DF7

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: d6444efcbd08e6b08d210bc423b305ad3e74dcfa2258a55a4ac64d4a405e1853
Instruction ID: 31f86f52b3d547c2d49e326539f4fe543fa12fa2c85674adcf574260e1b4d7f5
Opcode Fuzzy Hash: d6444efcbd08e6b08d210bc423b305ad3e74dcfa2258a55a4ac64d4a405e1853
Instruction Fuzzy Hash: D231F0B5D042089FCB10CF98E981ADEBBF4FB09324F24526AE855B7350E7316A058FA4

Function 00E50F9A Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 00E50FAB

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: 40362204f93e5ede287aa980398011c62a7534763a09e8c90a2e312507045390
Instruction ID: e0634f5df9bd6277cfc51afa375616998e779d7b543b205eaa46afdb2161ccf1
Opcode Fuzzy Hash: 40362204f93e5ede287aa980398011c62a7534763a09e8c90a2e312507045390
Instruction Fuzzy Hash: 1EE03075E092488FDB14CF9494527EDB770EB48720F208299ED223B281C63519158BA0

Non-executed Functions

Function 00E3B822 Relevance: 67.5, APIs: 19, Strings: 19, Instructions: 1004COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(?,0000003D,?), ref: 00E3B847
memchr.VCRUNTIME140(?,0000003D,?), ref: 00E3B946

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(sessionid,00000009,?,?), ref: 00E3BB56
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(ownerid), ref: 00E3BBDB

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(app), ref: 00E3BC60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(name), ref: 00E3BCE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(key), ref: 00E3BD6A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(username), ref: 00E3BDEF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(password), ref: 00E3BE74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(contents), ref: 00E3BEF9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(secret), ref: 00E3BF7E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(version), ref: 00E3C003
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(fileid), ref: 00E3C088
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(webhooks), ref: 00E3C10D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000007,sessionid,00000009,?), ref: 00E3C153
PathFindFileNameW.SHLWAPI(?), ref: 00E3C160
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000007,?,00000006,?,00000008), ref: 00E3C36F

Strings

key, xrefs: 00E3BD04
/, xrefs: 00E3C67F
Pn., xrefs: 00E3C12C
webhooks, xrefs: 00E3C0A7
\Debug\, xrefs: 00E3C2BD
=u, xrefs: 00E3C22E
version, xrefs: 00E3BF9D
username, xrefs: 00E3BD89
app, xrefs: 00E3BBFA
name, xrefs: 00E3BC7F
\KeyAuth, xrefs: 00E3C21A
sessionid, xrefs: 00E3BAF0
secret, xrefs: 00E3BF18
ownerid, xrefs: 00E3BB75
H\, xrefs: 00E3C1E3
fileid, xrefs: 00E3C022
contents, xrefs: 00E3BE93
\Debug, xrefs: 00E3C3B8, 00E3C56A, 00E3C5C8
password, xrefs: 00E3BE0E

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileNamememchr$FindModulePathmallocmemmove
String ID: /$Pn.$\Debug$\Debug\$\KeyAuth$app$contents$fileid$key$name$ownerid$password$secret$sessionid$username$version$webhooks$=u$H\
API String ID: 3080763380-2137530013
Opcode ID: 180843a523d2fcf4dcb38f15bf42082f5ebddb043e1c52042b7f5669929631d2
Instruction ID: dd29de37e9bdbcf783cb91ecb3f4ec8154551a35317d42ba2ab4bbd2c0421ae5
Opcode Fuzzy Hash: 180843a523d2fcf4dcb38f15bf42082f5ebddb043e1c52042b7f5669929631d2
Instruction Fuzzy Hash: F4A28C30D012688ADB29DB24DC99BEDBBB4AF55304F2092D9E54A77292EB745FC4CF10

Function 00E2E840 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 410injectionmemorysleepCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,00030000,00003000,00000004,?,?,00000000), ref: 00E2E89A
VirtualProtectEx.KERNEL32(?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004,?,?,00000000), ref: 00E2E8B9
WriteProcessMemory.KERNEL32(?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004,?), ref: 00E2E8FF
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 00E2E93D
VirtualAllocEx.KERNEL32(?,00000000,0000001C,00003000,00000004,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 00E2E969
WriteProcessMemory.KERNEL32(?,00000000,?,0000001C,00000000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 00E2E982
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 00E2E99F
WriteProcessMemory.KERNEL32(?,00000000,00E2ED10,00001000,00000000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 00E2E9BC
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 00E2E9D5
CloseHandle.KERNEL32(00000000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004), ref: 00E2E9E4
GetExitCodeProcess.KERNEL32(?,?), ref: 00E2EA0C
ReadProcessMemory.KERNEL32(?,?,?,0000001C,00000000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 00E2EA3A
Sleep.KERNEL32(0000000A,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004), ref: 00E2EA51
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(01400000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004), ref: 00E2EA5F
memset.VCRUNTIME140(00000000,00000000,01400000,00000000), ref: 00E2EA7D
WriteProcessMemory.KERNEL32(?,?,00000000,00001000,00000000,?,?,?,00000000), ref: 00E2EA93
WriteProcessMemory.KERNEL32(?,?,00000103,00000000,00000000,?,?,?,00000000), ref: 00E2EB6A
VirtualProtectEx.KERNEL32(?,?,?,00000002,00000000,?,?,?,00000000), ref: 00E2EBE0
VirtualProtectEx.KERNEL32(?,?,?,00000002,?,?,?,?,00000000), ref: 00E2EC0E
WriteProcessMemory.KERNEL32(?,?,00000103,00001000,00000000,?,?,?,00000000), ref: 00E2EC23
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00000000), ref: 00E2EC38
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00000000), ref: 00E2EC45
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 00E2EC6E
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 00E2EC7B
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 00E2EC89
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,00EFA688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 00E2ECEC

Strings

.rsrc, xrefs: 00E2EAFA
.reloc, xrefs: 00E2EB2A
@@@, xrefs: 00E2EA43
.pdata, xrefs: 00E2EACA

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Process$Memory$Write$Free$AllocProtect$CloseCodeCreateExitHandleReadRemoteSleepThreadmallocmemset
String ID: .pdata$.reloc$.rsrc$@@@
API String ID: 2738092353-1643141565
Opcode ID: ca90f68a2c43816c3a6cf0b7c7e440eedc50db72996548edf33e502ffe7aa8c8
Instruction ID: ea1ede3360831a885f86ac545c51d95a0a9d723b796c296377da9bec48ef6019
Opcode Fuzzy Hash: ca90f68a2c43816c3a6cf0b7c7e440eedc50db72996548edf33e502ffe7aa8c8
Instruction Fuzzy Hash: DAE1C371A40234AFDB208BE5DC41FAEBBB9BF45704F185059FA05BB281D776AC05CB54

Function 00E46AD0 Relevance: 45.2, APIs: 19, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00000000), ref: 00E46E52
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000), ref: 00E47231
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000), ref: 00E47247
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E472C0
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 00E473A3
__std_exception_destroy.VCRUNTIME140(?), ref: 00E473B9
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,?,?,?,?,?,?,00000000), ref: 00E47412
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000), ref: 00E47591
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000), ref: 00E475A7
__std_exception_destroy.VCRUNTIME140(?,?,?,00000000), ref: 00E47720
__std_exception_destroy.VCRUNTIME140(?,?,?,00000000), ref: 00E47E89
__std_exception_destroy.VCRUNTIME140(?), ref: 00E47E9F

Strings

value, xrefs: 00E47DB8
object key, xrefs: 00E472D2, 00E47ADB
number overflow parsing ', xrefs: 00E47428
object, xrefs: 00E477CD
object separator, xrefs: 00E47157, 00E47957
array, xrefs: 00E47649

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$Xbad_function_call@std@@_dclass_invalid_parameter_noinfo_noreturn
String ID: array$number overflow parsing '$object$object key$object separator$value
API String ID: 2454285746-2528100155
Opcode ID: 63a692b39293b84b8c8092222144b92e89c8a27d28c697f713c87db5dbe3c158
Instruction ID: 1a067ba762eaec9556c687ee62fa000d23cd447ff10ffc3c6b39351ce9ff5a2e
Opcode Fuzzy Hash: 63a692b39293b84b8c8092222144b92e89c8a27d28c697f713c87db5dbe3c158
Instruction Fuzzy Hash: 57C20571E042188FDB18CF68EC84BEEBBB5EF45304F145299E449F7682D770AA85CB91

Function 00E358B0 Relevance: 39.6, APIs: 18, Strings: 4, Instructions: 1085COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,D7C8C78D,?,00000001,8E857614,00000000,00000000), ref: 00E35AD6

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

Part of subcall function 00E3AC20: memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3ACC1
Part of subcall function 00E3AC20: system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3AD26

memmove.VCRUNTIME140(?,00E6042A,00EBDAF9,?,00000000,?,D7C8C78D,?,00000001,8E857614,00000000,00000000), ref: 00E35B33

Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 00E2E08E
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 00E2E09C

Part of subcall function 00E3F790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,00E324D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 00E3F7CF

memmove.VCRUNTIME140(00000000,?,?,00000000), ref: 00E35C03
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,00000000), ref: 00E35FE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,DDDEC9C6,?,00000001), ref: 00E3613A
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,00000000,DDDEC9C6,?,00000001), ref: 00E36173
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 00E36195
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 00E361B8
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 00E361F2

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_0000F740), ref: 00E362A0
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(CBDDD5DF,00000002,00000000), ref: 00E362BD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 00E362E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00E3639D

Part of subcall function 00E43770: memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 00E4382F
Part of subcall function 00E43770: memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 00E43840

Part of subcall function 00E3AC20: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3AD97
Part of subcall function 00E3AC20: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3ADD1

Part of subcall function 00E41600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,00F260AC), ref: 00E417BF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(CDCED9D8,?,00000001,00000000,?,message,success,?), ref: 00E365AB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,message,success,?), ref: 00E366F3
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(CDCED9D8,?,00000001,00000000,?,message,success,?), ref: 00E36769
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E36775

Part of subcall function 00E63F3B: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F43
Part of subcall function 00E63F3B: _CxxThrowException.VCRUNTIME140(?,00ED5CAC,?), ref: 00E64ABF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3688E

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00E363E4
message, xrefs: 00E36428
You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 00E3591E
success, xrefs: 00E36412

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?setw@std@@D@std@@@1@@ExceptionJ@1@_Smanip@_ThrowU?$_V21@@V?$basic_streambuf@Vios_base@1@_callnewhmallocmemsetsystem
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions$message$success
API String ID: 3384273977-4017831015
Opcode ID: db907025ae1701a38a0c077324d0728891274155b550c62d6b261bbe8eb43c10
Instruction ID: fe12a62cb8085241b781b02767a4bbfd51616031333c79b763bff3e1378f21d4
Opcode Fuzzy Hash: db907025ae1701a38a0c077324d0728891274155b550c62d6b261bbe8eb43c10
Instruction Fuzzy Hash: 28A2BD71D002589FDB29CB24DC88BEDBBB1AF46304F1482D9E049BB292DB759E85CF51

Function 00E38FA0 Relevance: 38.1, APIs: 17, Strings: 4, Instructions: 1356COMMON

Download Yara Rule

APIs

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

Part of subcall function 00E3AC20: memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3ACC1
Part of subcall function 00E3AC20: system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3AD26

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,CCC8DB8D,?,00000001,?,?,?,8E857614,?,00F26E10), ref: 00E39242

Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 00E2E08E
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 00E2E09C

Part of subcall function 00E34C10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,C0DAC38D,C0DAC396,?,8E857614,?,00000000,?,?,?,?,?,?,C0DAC38D), ref: 00E34CFC

Part of subcall function 00E3F790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,00E324D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 00E3F7CF

memmove.VCRUNTIME140(?,?,?,?,00000000,?,CCC8DB8D,?,00000001,?,?,?,8E857614,?,00F26E10), ref: 00E39297
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,C0C2CF8D,?,?,?,?,00000001,?,?,?,8E857614,?,00F26E10), ref: 00E39462
memmove.VCRUNTIME140(00000000,?,?,?,00000000,00000000,C0C2CF8D,?,?,?,?,00000001,?,?,?,8E857614), ref: 00E394BF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000001,?,?,?,8E857614,?,00F26E10), ref: 00E399D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,DDDEC9C6,?,00000001), ref: 00E39B49
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,00000000,DDDEC9C6,?,00000001), ref: 00E39B82
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 00E39BA4
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 00E39BC8
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 00E39C02
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_0000F740), ref: 00E39CC0
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(CBDDD5DF,00000002,00000000), ref: 00E39CDD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 00E39D02
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00E39DAB

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000100,00000100,00000018,00000000,00000000,?,message,success,?), ref: 00E3A265
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3A271
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3A427

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00E39DEE
message, xrefs: 00E39E39
You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 00E3901D
success, xrefs: 00E39E1D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@_invalid_parameter_noinfo_noreturnmemmove$??6?$basic_ostream@V01@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?setw@std@@D@std@@@1@@J@1@_Smanip@_U?$_V21@@V?$basic_streambuf@Vios_base@1@mallocmemsetsystem
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions$message$success
API String ID: 1312736169-4017831015
Opcode ID: cfab49da7678bd02debb818f06159c9efb6032f3977e544b5b74f26cd4e0032c
Instruction ID: 9f3dbbdcb649551e2ef633ceb15b7a9f6196790caa005ca6af4a7af0f4f60ca5
Opcode Fuzzy Hash: cfab49da7678bd02debb818f06159c9efb6032f3977e544b5b74f26cd4e0032c
Instruction Fuzzy Hash: 61D29A71D002588FDB29DB24DC88BEDBBB1AF45304F1482D9E449BB292DB749EC4DB91

Function 00E368D0 Relevance: 34.1, APIs: 15, Strings: 4, Instructions: 827COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,00EBDC34,00F26E10), ref: 00E36A4B

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

Part of subcall function 00E3AC20: memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3ACC1
Part of subcall function 00E3AC20: system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,00EBE2C8,start cmd /C "color b && title Error && echo ,0000002D,?,00EBE2C8,8E857614,00000000), ref: 00E3AD26

Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 00E2E08E
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 00E2E09C

Part of subcall function 00E34C10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,C0DAC38D,C0DAC396,?,8E857614,?,00000000,?,?,?,?,?,?,C0DAC38D), ref: 00E34CFC

Part of subcall function 00E3F790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,00E324D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 00E3F7CF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00EBDC34,00F26E10), ref: 00E36D98
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,DDDEC9C6,?,00000001), ref: 00E36F06
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,?,DDDEC9C6,?,00000001), ref: 00E36F3F
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 00E36F61
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 00E36F84
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 00E36FBE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_0000F740), ref: 00E37073
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(DDC8DF8D,00000002,00000000), ref: 00E37090
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 00E370B8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00E3717F

Part of subcall function 00E41260: memmove.VCRUNTIME140(?,?,00E3AFF8,00000000,?,?,00E3AFF8,?,?), ref: 00E4128D

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000000,?,message,success,?), ref: 00E372CD
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E372D9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E373B3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,8E857614), ref: 00E374BA

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 00E371C6
message, xrefs: 00E3720A
You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 00E3693E
success, xrefs: 00E371F4

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@memmove$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@V01@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?setw@std@@D@std@@@1@@J@1@_Smanip@_U?$_V21@@V?$basic_streambuf@Vios_base@1@memsetsystem
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions$message$success
API String ID: 2154783015-4017831015
Opcode ID: 903cba071934447c13d3a26ec7b79c37251dde1efc22c0ab46f204e9cad72816
Instruction ID: 08335d06f1170e2066bc59a5ca7dcadf06f17a4656e568886ddd290c72e3c7d6
Opcode Fuzzy Hash: 903cba071934447c13d3a26ec7b79c37251dde1efc22c0ab46f204e9cad72816
Instruction Fuzzy Hash: DC72BE71D002589FDB29DB24DC88BEDBBB1AF45304F1482D9E449BB292D771AE84CF91

Function 00E47FA0 Relevance: 32.4, APIs: 13, Strings: 5, Instructions: 933COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140(?,?,?,00000000), ref: 00E494AB
__std_exception_destroy.VCRUNTIME140(?), ref: 00E494C1

Strings

object key, xrefs: 00E48931, 00E49112
value, xrefs: 00E493DA
object, xrefs: 00E48DF8
object separator, xrefs: 00E48F88
array, xrefs: 00E48C6E

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy
String ID: array$object$object key$object separator$value
API String ID: 2453523683-2448007618
Opcode ID: 2ddaab02805e93b25e8d85d39bcf88c3f76832d32b0e7b48056f6e5c125a4f89
Instruction ID: e856b41b58206e61bc916a293d32bd2e0a2a63ce06d795035137bd01391aaa8a
Opcode Fuzzy Hash: 2ddaab02805e93b25e8d85d39bcf88c3f76832d32b0e7b48056f6e5c125a4f89
Instruction Fuzzy Hash: F282E671D002188FDB18CB68ED94BEDBBB5BF45304F148299E509BB782DB74AE84CB51

Function 00E53930 Relevance: 31.7, APIs: 13, Strings: 4, Instructions: 1934memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00021200,00003000,00000004,8E857614), ref: 00E5398A
VirtualAllocEx.KERNEL32(?,00000000,00025000,00003000,00000040), ref: 00E53BC0

Strings

;6>>}W^, xrefs: 00E54BC3
,,(>}W^, xrefs: 00E547FD
Eof, xrefs: 00E53F75
e4'3, xrefs: 00E54765

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID: ,,(>}W^$;6>>}W^$Eof$e4'3
API String ID: 4275171209-2422216670
Opcode ID: f9fad94d5ab8057b22d09507645ff611bf1c32f16e74b9284f7c7a4ec875bb65
Instruction ID: 2941eb2435b8004a34bf0087a4e74cdd651de3112d5552ca2518bfa3aa66423c
Opcode Fuzzy Hash: f9fad94d5ab8057b22d09507645ff611bf1c32f16e74b9284f7c7a4ec875bb65
Instruction Fuzzy Hash: 00034535E156148FDB06CF38C850AE8F7B1FF56349F15D35AE8017B2A2EB31A9868B40

Function 00E52950 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 555serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000001), ref: 00E52983
GetLastError.KERNEL32 ref: 00E52994

Part of subcall function 00E4E970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 00E4E979

OpenServiceW.ADVAPI32(00000000,00000000,00000024), ref: 00E52B49
CloseServiceHandle.ADVAPI32(?), ref: 00E52B5E

Strings

VI@, xrefs: 00E529E9

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: OpenService$CloseErrorHandleLastManager__acrt_iob_func
String ID: VI@
API String ID: 1605991056-509713428
Opcode ID: b1ab93bbaaddf574122355c48923b235079ea0f8a82f6eedc48a3349e26a179b
Instruction ID: f1896790775aac90242add5230947f9099ed9a812eceb05be8e05e8419ce2e79
Opcode Fuzzy Hash: b1ab93bbaaddf574122355c48923b235079ea0f8a82f6eedc48a3349e26a179b
Instruction Fuzzy Hash: 32529EB4E06218EFCB14CF98E991A9DBBB2FF49314F245199E849BB351D7306A85CF40

Function 00E53360 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 163injectionthreadmemoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,00000014,00003000,00000040), ref: 00E53386

Part of subcall function 00E53550: Thread32First.KERNEL32(00000000,0000001C), ref: 00E53613
Part of subcall function 00E53550: Thread32Next.KERNEL32(00000000,0000001C), ref: 00E53640

OpenThread.KERNEL32(001FFFFF,00000000,00000000,?,00000000,00000014,00003000,00000040), ref: 00E533A7
SuspendThread.KERNEL32(00000000,?,00000000,00000014,00003000,00000040), ref: 00E533BE
GetThreadContext.KERNEL32(00000000,?,?,00000000,00000014,00003000,00000040), ref: 00E533D6
WriteProcessMemory.KERNEL32(?,00000000,00006660,00000003,00000000,?,00000000,00000014,00003000,00000040), ref: 00E53431
WriteProcessMemory.KERNEL32(?,00000003,00000068,00000005,00000000,?,00000000,00006660,00000003,00000000,?,00000000,00000014,00003000,00000040), ref: 00E53440
WriteProcessMemory.KERNEL32(?,00000008,000000E8,00000005,00000000,?,00000003,00000068,00000005,00000000,?,00000000,00006660,00000003,00000000), ref: 00E5344F
WriteProcessMemory.KERNEL32(?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005,00000000,?,00000003,00000068,00000005,00000000), ref: 00E5345E
WriteProcessMemory.KERNEL32(?,00000010,000000E9,00000005,00000000,?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005,00000000), ref: 00E5346D
SetThreadContext.KERNEL32(?,0001003F,?,00000010,000000E9,00000005,00000000,?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005), ref: 00E5347D
ResumeThread.KERNEL32(?,?,00000010,000000E9,00000005,00000000,?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005,00000000), ref: 00E53484

Strings

h, xrefs: 00E53418
`f, xrefs: 00E5340E
fa`f, xrefs: 00E53455, 00E53458
?, xrefs: 00E533CA

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessThreadWrite$ContextThread32$AllocFirstNextOpenResumeSuspendVirtual
String ID: ?$`f$fa`f$h
API String ID: 3168608564-1748709450
Opcode ID: 78a7b7193904c711b213caa8d3f79b8cc75b20815b6ff081c528ed310281dcee
Instruction ID: 3b31a591a2779cbef6bc7d3822e664b592c13434674eff24ef70fcde2c4aa5ad
Opcode Fuzzy Hash: 78a7b7193904c711b213caa8d3f79b8cc75b20815b6ff081c528ed310281dcee
Instruction Fuzzy Hash: 5851A135A002199FDB25CF64CC84FBEBBB8EF45744F1441AAE915AB251D731AE09CF90

Function 00E24350 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,00F26E10), ref: 00E24388
OpenProcessToken.ADVAPI32(00000000), ref: 00E2438F
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 00E244D4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E244D9
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 00E244F2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E24500
ConvertSidToStringSidA.ADVAPI32(?,?), ref: 00E24637
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E24646
LocalFree.KERNEL32(00000000,00000000,?), ref: 00E2479F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E247A6
CloseHandle.KERNEL32(00000000), ref: 00E247B2

Strings

,, xrefs: 00E2466C
,, xrefs: 00E2467A
oqD\, xrefs: 00E24656

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Tokenfree$InformationProcess$CloseConvertCurrentFreeHandleLocalOpenStringmalloc
String ID: ,$ ,$oqD\
API String ID: 753083310-193674564
Opcode ID: a5025aad2270711e4daf3eef0f735ab00341f2452b6e010b2237144705a4ed10
Instruction ID: 43dbb15df557d8b9eba0c5ad7dc70314eba0f3faca83e4854ae38b108f1d2aea
Opcode Fuzzy Hash: a5025aad2270711e4daf3eef0f735ab00341f2452b6e010b2237144705a4ed10
Instruction Fuzzy Hash: 93F1DDB8D052189FDB14CFA8E985AEDBBB1FF49304F245219E849B7351D7312A86CF44

Function 00E28060 Relevance: 24.3, APIs: 6, Strings: 6, Instructions: 3286COMMON

Download Yara Rule

APIs

Part of subcall function 00E65030: AcquireSRWLockExclusive.KERNEL32(00F26C18,00E2BB06), ref: 00E65035
Part of subcall function 00E65030: ReleaseSRWLockExclusive.KERNEL32(00F26C18), ref: 00E65075

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E2BB32
GetUserNameA.ADVAPI32(?,?), ref: 00E2BBAC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,8E857614,?), ref: 00E2C8F1

Part of subcall function 00E24350: GetCurrentProcess.KERNEL32(00000008,?,00000000,00F26E10), ref: 00E24388
Part of subcall function 00E24350: OpenProcessToken.ADVAPI32(00000000), ref: 00E2438F

Part of subcall function 00E2D9C0: memmove.VCRUNTIME140(?,?,?), ref: 00E2DA06

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,8E857614,?), ref: 00E2CE41
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00E2D1C7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 00E2D32A

Strings

_Vf=, xrefs: 00E2C92C
et*|, xrefs: 00E2D095
7<,{, xrefs: 00E2ABBF
|3, xrefs: 00E2D22D
_Vf=, xrefs: 00E2CB47
oqD\, xrefs: 00E2BBFC

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExclusiveLockProcess$AcquireCurrentNameOpenReleaseTokenUsermemmove
String ID: 7<,{$_Vf=$_Vf=$et*|$oqD\$|3
API String ID: 1999400758-2244986176
Opcode ID: 36e8b715c6e94dbaee75e4960650afe42a7d8b189b6128b90e0c2de33572848b
Instruction ID: 5c52fb54482ba6b03aa068647beae95dcb94bc20382f7653749375fcf2d39231
Opcode Fuzzy Hash: 36e8b715c6e94dbaee75e4960650afe42a7d8b189b6128b90e0c2de33572848b
Instruction Fuzzy Hash: 0EA376B4D056688BDBA5CF18DD807A9BBB5AF89314F1051DA9A4DB7342DB302EC1CF18

Function 00E24800 Relevance: 20.4, APIs: 6, Strings: 4, Instructions: 2880registryCOMMON

Download Yara Rule

APIs

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,00000000,00000000), ref: 00E24A04
memchr.VCRUNTIME140(?,00000049,?,?,?,?,?,?,?,F964096D), ref: 00E27779
memchr.VCRUNTIME140(00000001,00000049,?,?,?,?,?,?,?,?,?,?,F964096D), ref: 00E277F2
RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 00E24A2A

Part of subcall function 00E2D9C0: memmove.VCRUNTIME140(?,?,?), ref: 00E2DA06

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00E2802F

Part of subcall function 00E2DEC0: memchr.VCRUNTIME140 ref: 00E2DF08
Part of subcall function 00E2DEC0: memchr.VCRUNTIME140(00000001,?,?), ref: 00E2DF8B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00E27F66

Strings

et*|, xrefs: 00E27E73
IP_PLACEHOLDER, xrefs: 00E27792
engine, xrefs: 00E27F30
7<,{, xrefs: 00E26A3F

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn$CreateOpenmallocmemmove
String ID: 7<,{$IP_PLACEHOLDER$user$et*|
API String ID: 4066840904-1141489582
Opcode ID: eddf52a749d3cacdefc4cd1cafdb42fbb0c7cd8225c2ae9b273808e4651de17b
Instruction ID: 18dfd214ce92fca2c95ec5dce3b3f7982cc0a0b6929fe037fafa53da52e2ba1c
Opcode Fuzzy Hash: eddf52a749d3cacdefc4cd1cafdb42fbb0c7cd8225c2ae9b273808e4651de17b
Instruction Fuzzy Hash: AA8376B8D053688BDB65CFA8D981ADCBBB1BF4A314F204199D94DBB351DB306A81CF44

Function 00E63BEB Relevance: 16.7, APIs: 11, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?), ref: 00E63C83
GetLastError.KERNEL32 ref: 00E63C8D
FindFirstFileW.KERNEL32(?,?), ref: 00E63CA4
GetLastError.KERNEL32 ref: 00E63CAF
FindClose.KERNEL32(00000000), ref: 00E63CBB
___std_fs_open_handle@16.LIBCPMT ref: 00E63D74
___std_fs_close_handle@4.MSVCPRT ref: 00E63E3B

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_close_handle@4___std_fs_open_handle@16
String ID:
API String ID: 3584187540-0
Opcode ID: c8fcd0832ba7bdeab51b06df33e7bdbf8589ec0a77bf080eb4c2c5a642056070
Instruction ID: 64bd48d92d7bb85d3f5973daa477a927f9cc505c57b4bce68bbbe57845004081
Opcode Fuzzy Hash: c8fcd0832ba7bdeab51b06df33e7bdbf8589ec0a77bf080eb4c2c5a642056070
Instruction Fuzzy Hash: 5471BF74A807199FCB20CF39EC85BA9B7B8BF053A4F145299E855F3281DB319E45CB60

Function 00E481D6 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 429COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00E481E4
__std_exception_destroy.VCRUNTIME140 ref: 00E48BAC
__std_exception_destroy.VCRUNTIME140(?), ref: 00E48BC2

Strings

object key, xrefs: 00E48931
number overflow parsing ', xrefs: 00E48A6D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$_dclass
String ID: number overflow parsing '$object key
API String ID: 1615805995-1994755323
Opcode ID: 6a5b9de9faae578765ae16241f73c7c42af2eedfaa465da9d6eabe64d6e60889
Instruction ID: 024fca2fe57acb9d06ed79f8efc95083888d039e07862734d719b812ebe25be8
Opcode Fuzzy Hash: 6a5b9de9faae578765ae16241f73c7c42af2eedfaa465da9d6eabe64d6e60889
Instruction Fuzzy Hash: C402E171D002188FDB18CF68DD84BEDF7B1BF49304F149299E509BB682DB74AA84CB90

Function 00E505B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,?,?,?,?), ref: 00E507B5
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,?), ref: 00E507DA
VerSetConditionMask.KERNEL32(00000000), ref: 00E507DE
VerSetConditionMask.KERNEL32(00000000), ref: 00E507E2
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 00E50809
GetLastError.KERNEL32 ref: 00E50828
GetLastError.KERNEL32 ref: 00E508E6

Strings

print, xrefs: 00E508CA

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$ErrorLast$InfoVerifyVersionmemset
String ID: print
API String ID: 844649642-366378086
Opcode ID: 74135ec7abb86db334ca8524055b56ffe1bf12f7dc6ed6bac78471b612fe7dc4
Instruction ID: 4bb0c60eb849e357a5cc7512edb9c544a0d26c1850d9c1850d0184df805adf40
Opcode Fuzzy Hash: 74135ec7abb86db334ca8524055b56ffe1bf12f7dc6ed6bac78471b612fe7dc4
Instruction Fuzzy Hash: F9A1E274A042289BDB25CF28DC95BD9BBB4EF49304F0441DAE949AB351DB31AF85CF80

Function 00E8CB30 Relevance: 10.2, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

%2lld.%0lldG, xrefs: 00E8CD0D
%4lldT, xrefs: 00E8CD57
%4lldk, xrefs: 00E8CB82
%4lldP, xrefs: 00E8CD64
%4lldM, xrefs: 00E8CC6C
%5lld, xrefs: 00E8CB50
%2lld.%0lldM, xrefs: 00E8CC3A
%4lldG, xrefs: 00E8CD3D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
API String ID: 0-3476178709
Opcode ID: 5b7434464126aee10a0c572c76b316b1260a53e0e1728ebd35ad2f8f0480b0d6
Instruction ID: e9dde739ab473bb84c69ef267c69cb86aec5551366c6795525d952e09ca9cbbe
Opcode Fuzzy Hash: 5b7434464126aee10a0c572c76b316b1260a53e0e1728ebd35ad2f8f0480b0d6
Instruction Fuzzy Hash: 2B5137B27057051BE708A86DDD82B6BB1C9E786714F98193CB94EE73D2F1A9CC0143A6

Function 00E64AD5 Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 00E64AE1
memset.VCRUNTIME140(?,00000000,00000003), ref: 00E64B07
memset.VCRUNTIME140(?,00000000,00000050), ref: 00E64B91
IsDebuggerPresent.KERNEL32 ref: 00E64BAD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 00E64BC6
UnhandledExceptionFilter.KERNEL32(?), ref: 00E64BD0

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 33669caeb57afb810501d6eb2afc7c3e59af4b07437c389058c6b111ca60656a
Instruction ID: 7e8d4cc38dde1082bed44a65cb05c3837f486a88323ca9eeb41192b8bb33a210
Opcode Fuzzy Hash: 33669caeb57afb810501d6eb2afc7c3e59af4b07437c389058c6b111ca60656a
Instruction Fuzzy Hash: 373129B5C05218DBDB20DFA5D949BCDBBF8BF08740F1051EAE40CAB291E7719A858F45

Function 00E5AE20 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 353COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E5B057

Part of subcall function 00E4E970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 00E4E979

Strings

lp4<, xrefs: 00E5AFEF
XI3;, xrefs: 00E5AF55
@PG@Q5, xrefs: 00E5B2A6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5$XI3;$lp4<
API String ID: 220543977-3768292294
Opcode ID: 25302f3f98dd7e633421c68757d155674e0e22e0e49d4dd435b873032f99ab62
Instruction ID: 9429cc66c5fb5fcca474d2eebc8f1a04ca2231da85e053a7d0b3c51fe99fed62
Opcode Fuzzy Hash: 25302f3f98dd7e633421c68757d155674e0e22e0e49d4dd435b873032f99ab62
Instruction Fuzzy Hash: 8B021774A04229CFDB29CF08C890BA9B7B1BF48705F1995DDD9496B311DB71AE85CF80

Function 00E53710 Relevance: 6.2, APIs: 4, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(00000000,0000022C), ref: 00E537E2
wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000104), ref: 00E53813
strstr.VCRUNTIME140(?,?), ref: 00E53825
Process32NextW.KERNEL32(?,0000022C), ref: 00E5383F

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Process32$FirstNextstrstrwcstombs
String ID:
API String ID: 2424144712-0
Opcode ID: b5967f46daa0bb1cfda0df64010834f3b70c337c09c099727aff5cd5725fde0a
Instruction ID: ef6a7a60c09c3a52a01c727453af0b3bfb0fc32b2d6d4dceff6ce4baba4bcda2
Opcode Fuzzy Hash: b5967f46daa0bb1cfda0df64010834f3b70c337c09c099727aff5cd5725fde0a
Instruction Fuzzy Hash: 4061D074A002198FCB29CF28C890AA9B3B5EF48758F1555DAE848AF351D731BF49CB80

Function 00E40D00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E41035

Strings

\u%04x, xrefs: 00E40F12
%.2X, xrefs: 00E40DE1, 00E40FFF

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %.2X$\u%04x
API String ID: 3668304517-1814277092
Opcode ID: 017af0a7eb12726f92f7c6fba3fb96a1c0c6ada29c002fe339f9c3ba75746e3f
Instruction ID: 5a1c2d773d5c978f3e9425bdec70756f4e66be51bb197c036c4e2a3d60bdbdf3
Opcode Fuzzy Hash: 017af0a7eb12726f92f7c6fba3fb96a1c0c6ada29c002fe339f9c3ba75746e3f
Instruction Fuzzy Hash: C2B1E331E001159BCB24CF68E884ABEBBB1EF49304F1492BAE615FB251D736DA55CB90

Function 00E63EAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,8E857614,?,00E2F623,?,8E857614), ref: 00E63EC3
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,8E857614,00000000,00000000,?,?,00E2F623,?,8E857614), ref: 00E63EEA

Strings

!x-sys-default-locale, xrefs: 00E63EBE

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: e780a80b4f85c560d3e93a6b4f783614b1a9aab474991dccee99d7df95403f42
Instruction ID: 672d406a179a02080f2ffd24d0aa0e0fb7f7ff5700fec5e2b77affc50fa21cc0
Opcode Fuzzy Hash: e780a80b4f85c560d3e93a6b4f783614b1a9aab474991dccee99d7df95403f42
Instruction Fuzzy Hash: 26F03076654209FFEB049BD5DD0ADEB7AACEF097D5F005059B602E6041E2B2AF009770

Function 00E23920 Relevance: 4.2, Strings: 3, Instructions: 456COMMON

Download Yara Rule

Strings

`|a{U, xrefs: 00E239BC
\T\US[?, xrefs: 00E23EBB
1.C, xrefs: 00E23E34

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 1.C$\T\US[?$`|a{U
API String ID: 0-1763564542
Opcode ID: d59e1460f7568bf0ce4a7e1043cc66961fc436e1596cbfd245f6d663169eba69
Instruction ID: 33d93299decb74d49e79c0ce1b56ae4e0c02b53a06bbe6af497e4be30ba49d44
Opcode Fuzzy Hash: d59e1460f7568bf0ce4a7e1043cc66961fc436e1596cbfd245f6d663169eba69
Instruction Fuzzy Hash: 27124775D167498FEB02CF79D8013E9F7B5AFAB244F14D36AE80076262E731A6C68740

Function 00E514A0 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

hXMV, xrefs: 00E51619
G'xC, xrefs: 00E514EB
hXMV, xrefs: 00E51604

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G'xC$hXMV$hXMV
API String ID: 0-3779631648
Opcode ID: dde45cd617de0a2239f28acbc8bac91d60940a11dbf30734da7b8d28e4a9b1aa
Instruction ID: 5a3087ccbc16180c524243c7dfcb0762cbd4ae7611809666337b7bb2a820a3dd
Opcode Fuzzy Hash: dde45cd617de0a2239f28acbc8bac91d60940a11dbf30734da7b8d28e4a9b1aa
Instruction Fuzzy Hash: F651DEB5D19658ABCB04CFA9E881ADDFBB4FF49310F14822AE855BB350E7306905CF54

Function 00E31ED0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 00E426A0: memmove.VCRUNTIME140(00000000,00000000,00E34792,?,00000000), ref: 00E4276D

___std_fs_get_current_path@8.LIBCPMT ref: 00E31F82

Strings

.tex, xrefs: 00E32121

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___std_fs_get_current_path@8memmove
String ID: .tex
API String ID: 2466531287-1946526065
Opcode ID: c2da73405d67c28765e21d70e3db928edfc84714f62fca9ad9b2075210bb57e0
Instruction ID: e27ef183e8a63d68828ba0ce992aa7d1d9e36b3edc67f7ff47c5999c431fe99e
Opcode Fuzzy Hash: c2da73405d67c28765e21d70e3db928edfc84714f62fca9ad9b2075210bb57e0
Instruction Fuzzy Hash: 47A1BCB0A043459FCB14CF28D9446AEFBF1FF88704F108A2EE595A7340E771A944CB91

Function 00E59920 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E59B57

Part of subcall function 00E4E970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 00E4E979

Strings

@PG@Q5, xrefs: 00E59DA6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5
API String ID: 220543977-96674166
Opcode ID: 11280a67973e8b13d14f0d501413a210a9e7138309d4bfa70bdbdbc2b1e41239
Instruction ID: 386b8a1e9364ba603bafd693c555e6c825abaaca5ace70be16dc21c352dcd922
Opcode Fuzzy Hash: 11280a67973e8b13d14f0d501413a210a9e7138309d4bfa70bdbdbc2b1e41239
Instruction Fuzzy Hash: 2D02F434904229CBDB29CF08C890BA9B7B1FF49705F1595DDD94A6B352DB70AE85CF80

Function 00E5A770 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E5A9A7

Part of subcall function 00E4E970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 00E4E979

Strings

@PG@Q5, xrefs: 00E5ABF6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5
API String ID: 220543977-96674166
Opcode ID: 04288e44315b914aedc960d53d3cc99a998770270238c570353776d751a50374
Instruction ID: 953dd8ac5dadc622a0ba1099a1e45ff52cbdbfacca97be4c05cdbbf1445d3c8e
Opcode Fuzzy Hash: 04288e44315b914aedc960d53d3cc99a998770270238c570353776d751a50374
Instruction Fuzzy Hash: D90207749002258FDB29CF08C8A0BA9B7B1FF49705F1996DED9496B311D731AE85CF80

Function 00E567C1 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 00E567CC

Part of subcall function 00E4E970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 00E4E979

Strings

@PG@Q5, xrefs: 00E56A29

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5
API String ID: 220543977-96674166
Opcode ID: bad08894396f49d8ba438af09204145d54a0ea2034c953143054f7f44954dfb6
Instruction ID: e299d34bdca22a5d29e013a18d7f453ab2c338fd2e4ccf2299099434e49cbda3
Opcode Fuzzy Hash: bad08894396f49d8ba438af09204145d54a0ea2034c953143054f7f44954dfb6
Instruction Fuzzy Hash: D7A1EF74905269CFEB29CF08C890BA9B7B1FF49305F0992DAD949AB351D730AE85CF40

Function 00E53550 Relevance: 3.2, APIs: 2, Instructions: 160threadCOMMON

Download Yara Rule

APIs

Thread32First.KERNEL32(00000000,0000001C), ref: 00E53613
Thread32Next.KERNEL32(00000000,0000001C), ref: 00E53640

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Thread32$FirstNext
String ID:
API String ID: 3555619780-0
Opcode ID: 48f28a18adb853a08e633cd58cf60cb48c68fc0cc268c68cd9b1b7b57c71bd85
Instruction ID: dbdfd6208577dd3621350285942cf683ea537697fc8114e6df653b8e75cbf36a
Opcode Fuzzy Hash: 48f28a18adb853a08e633cd58cf60cb48c68fc0cc268c68cd9b1b7b57c71bd85
Instruction Fuzzy Hash: A5518A34A002198FCB14CF68C4D0EA9F3F1EF49359B1965AED915AB322D731EE09CB90

Function 00E578C0 Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

\~`[, xrefs: 00E57A05
@PG@Q5, xrefs: 00E5797E

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5$\~`[
API String ID: 0-873556266
Opcode ID: 853f98cdf0b6e2da9c7d087e18ac91ffc44a2d237a5c92ea3672329f8b52ce1d
Instruction ID: 466cf0d60a11f29d64f1c4a0c714f651303b8a59b6c6b0d52d17245d759b6e07
Opcode Fuzzy Hash: 853f98cdf0b6e2da9c7d087e18ac91ffc44a2d237a5c92ea3672329f8b52ce1d
Instruction Fuzzy Hash: 95516C34A052258FDB29CF08C460BA5B7B1FF89709F1A55DEC98A6B351DB30AE45CF80

Function 00E57040 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E570F6
}Ej, xrefs: 00E5708F

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5$}Ej
API String ID: 0-3380338130
Opcode ID: f8897eddd327116d35c41f7bb53a33a19aafb1e4499931d04ca24409007d09d7
Instruction ID: bb2cb0dae1955399bd4500715f073c54b4a401c8c9e4f570ebfd1beaa72cdff6
Opcode Fuzzy Hash: f8897eddd327116d35c41f7bb53a33a19aafb1e4499931d04ca24409007d09d7
Instruction Fuzzy Hash: CA519A34A052258FCB28CF18C4A0B69B3F1FF49709F1A55DEC88A6B351DB30AD46CB80

Function 00E58600 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

&o4M, xrefs: 00E58745
@PG@Q5, xrefs: 00E586B6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: &o4M$@PG@Q5
API String ID: 0-1811181629
Opcode ID: f5d22ec8832411ff8ca78cd66323c65170111dd46c26011d3bd6239f08f3a36a
Instruction ID: 1801ee8c94ae2d9a486c70b7d498869797b3dab4582a4857f181dcd8cb859b4f
Opcode Fuzzy Hash: f5d22ec8832411ff8ca78cd66323c65170111dd46c26011d3bd6239f08f3a36a
Instruction Fuzzy Hash: BD513735A011258FDB28CF18C5A0AA5B7B1FF49709F1A55DAC84A6B362DB70AD45CB80

Function 00E4ACB0 Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 00E4ADC3

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: ef729e633cecfbaaa0c92093d03fe6daabdf51af270874485d0ab7b815c1c0d9
Instruction ID: aeac3bf5ad0cd6207f220b6a1f4369e74b07723384b0f25a0555ef72f2f4323b
Opcode Fuzzy Hash: ef729e633cecfbaaa0c92093d03fe6daabdf51af270874485d0ab7b815c1c0d9
Instruction Fuzzy Hash: F6C16971E1065A9FCB05CFA8D4806ADFBF1FF59310F58926AE806EB345D730A944CB91

Function 00E4B960 Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(8E857614,?,00000000), ref: 00E4BA49

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: b68b0841467cc20ceb5f03667859402e101578d1eb187d59c0e68369633b0481
Instruction ID: bd376919cc5097c214e24518663715d153281e50dad3330ed62ccbfa5d9a41f9
Opcode Fuzzy Hash: b68b0841467cc20ceb5f03667859402e101578d1eb187d59c0e68369633b0481
Instruction Fuzzy Hash: 6BB15771A0465A8FCB15CFA8E480AADFBF1FF99300F549299E846EB345D730E940CB90

Function 00E4B320 Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(8E857614,?,00000000,?,?,?,?,?,?), ref: 00E4B400

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 9859b71a9d20569e6d3b1f54cee8f82681533b7c7cc5b94c71edc0e89c544bf8
Instruction ID: aeb5dbd4d6592b7b777748b5ba2ac251d86d3e8dc0a9131a642d780784976ba8
Opcode Fuzzy Hash: 9859b71a9d20569e6d3b1f54cee8f82681533b7c7cc5b94c71edc0e89c544bf8
Instruction Fuzzy Hash: D4B14875A0465A8FCB15CFACD480AADFBF1BF99300F159699E846EB345E730E940CB90

Function 00E4B640 Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(8E857614,?,00000000,?,?,?,00EBF4DD,000000FF), ref: 00E4B720

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: b76717ada35e5838c855a710dad1f109d069ee4acf0d75f5c1a9f3bfcd2e5971
Instruction ID: 3df6d0a0c37e97e7665409df1369cf1cac8e1afa5291dc483914c0297adadbb6
Opcode Fuzzy Hash: b76717ada35e5838c855a710dad1f109d069ee4acf0d75f5c1a9f3bfcd2e5971
Instruction Fuzzy Hash: 1BB16875A046098FCB18CF68E480AADFBF1FF99300F55969AE846EB345D730E840CB90

Function 00E4B000 Relevance: 1.8, APIs: 1, Instructions: 280COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(8E857614,?,00000000), ref: 00E4B0DE

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 47bb1c55640209324df09a0eaff1ac8b298f6f91e741f16437b0ec5224e6176b
Instruction ID: 922a3b2cd7e0f7b00cdecb8626f5c34e75f9b2fe3226b33b17d8b2ab0c3c480a
Opcode Fuzzy Hash: 47bb1c55640209324df09a0eaff1ac8b298f6f91e741f16437b0ec5224e6176b
Instruction Fuzzy Hash: 69B15771A0064A8FCB05CFA8D890AADFBF1BF99300F149659E856FB355D770E940CB94

Function 00E4BC90 Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000,8E857614,?,00000000), ref: 00E4BD70

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: d8978391332b5ffd58931d5f5f1d39307d0c1296fc37ab37e4da988342d05f95
Instruction ID: e2c338c681c3e0242e5df8f72d84d825a012dcd5a06c98b1084ad472798cba73
Opcode Fuzzy Hash: d8978391332b5ffd58931d5f5f1d39307d0c1296fc37ab37e4da988342d05f95
Instruction Fuzzy Hash: D2B15771A0064ACFCB04CFA8D890AADFBF1BF89300F549699E806EB345D730E945CB90

Function 00E64763 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 00E64779

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: edd84bd098547ceed6aa140cea3f23ac023b666a420ed645b291f6632da4d204
Instruction ID: e0193f71d262268a5bfa2b534fade10057416a64ac3d7838b8d6c8f26c0d4e4c
Opcode Fuzzy Hash: edd84bd098547ceed6aa140cea3f23ac023b666a420ed645b291f6632da4d204
Instruction Fuzzy Hash: D2A18EB1A41615DFDB18CF96FC816A9BBB0FB88324F24912BE425FB2A1D3749844CF50

Function 00E4D020 Relevance: 1.6, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a77085fcb5963fc2eef8a5b5570297ae71cff60d99f716f1182e5039cdd7ab5
Instruction ID: 035a704d7ff418ba2b4fa2cd4d58239e21c61be45c4e5fc1b9e067c8dc250774
Opcode Fuzzy Hash: 0a77085fcb5963fc2eef8a5b5570297ae71cff60d99f716f1182e5039cdd7ab5
Instruction Fuzzy Hash: BCE10572E046298FDF08CF99D8915EEBBB2FBD8314B1A826DD85677344CA306D05CB90

Function 00E8F990 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 00E8F9E0

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 9ac035f5276f6cc66017e2bf61d3e5b74974bd8de2fa688597ab63d23b058e58
Instruction ID: ae004d5b13e6b7d4c8d5f55d0995998ffb90ca5615869ef623a82be1e097106c
Opcode Fuzzy Hash: 9ac035f5276f6cc66017e2bf61d3e5b74974bd8de2fa688597ab63d23b058e58
Instruction Fuzzy Hash: 4B1159722043459AE710DE69ED40B27B7D8EBD1368F5459BBF54CF3281D721C8058761

Function 00E51A10 Relevance: 1.5, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,000002C8,?,?), ref: 00E51BFE

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 9a332d5ccb39b31cb3c07e963da58901ca102ffeabde6946e2ae708c1dc46185
Instruction ID: ca065d0d937a931fd0026360565fdc75c34f6218475cf8a80314dbf1644cb4b9
Opcode Fuzzy Hash: 9a332d5ccb39b31cb3c07e963da58901ca102ffeabde6946e2ae708c1dc46185
Instruction Fuzzy Hash: 31C13574A412698FCB29CF18C898BA8B7B4FF48305F1455EAD849BB351DB70AE85CF44

Function 00E5571B Relevance: 1.5, Strings: 1, Instructions: 244COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E559F6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 178d246145e9492539196281bd346b379594bcd008dd0f5f7fe5a4bcb66189c5
Instruction ID: d949d3cbe2bc3f7a455b8d762363e664bb8a9873aeebf4f11922450b69984846
Opcode Fuzzy Hash: 178d246145e9492539196281bd346b379594bcd008dd0f5f7fe5a4bcb66189c5
Instruction Fuzzy Hash: 5EB122359166558FDB16CF35C860BA4F3F0FF66245F1593DAD8087B262EB30AA86CB40

Function 00E46020 Relevance: 1.5, APIs: 1, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 908d1136104204d679281c92e3c4dad7694b61311362a5b44d9880609a68f6ff
Instruction ID: c027b9f7040a3618437aab4764243b27d28850f2b43ffe3d3901aaff1ae5b201
Opcode Fuzzy Hash: 908d1136104204d679281c92e3c4dad7694b61311362a5b44d9880609a68f6ff
Instruction Fuzzy Hash: AD715DB1E0111A9FCB18CFA9D8416AEF7B2FF89300F55926AD915F7344E730AA10CB85

Function 00E444A0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

null, xrefs: 00E4463B

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: null
API String ID: 0-634125391
Opcode ID: 68ed8d74ee69e0ed852d4dc135833fe056176e27a69c4c8dfed0f026e6eb741a
Instruction ID: 338ad7c71f716d45709b1e29ce88d37cbc513184496384f916cc919cc73a4e8d
Opcode Fuzzy Hash: 68ed8d74ee69e0ed852d4dc135833fe056176e27a69c4c8dfed0f026e6eb741a
Instruction Fuzzy Hash: 125180B1B005189BCF24EFB8F4527ADB3F5DF49314F40619EF92AAB6C2CA755A048781

Function 00E58D80 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E58EE6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 2580cc0a61de09f105fb54eea51c9a61cc73ab16632cc1af6ff748391640c2b6
Instruction ID: c1712d9f737a3705edb3cf1d5f287624ed9f227e008358dfb271cefd8a52202b
Opcode Fuzzy Hash: 2580cc0a61de09f105fb54eea51c9a61cc73ab16632cc1af6ff748391640c2b6
Instruction Fuzzy Hash: E3714C34A002258FCB29CF08C5A0AA9B7B1FF49709F1A95DEC94A7B311DB30AD45CF80

Function 00E57480 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E5753E

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 9108faa47032647dbbf3373e1363a1aa42a01a3f905a45aa17ab3dff672c65b6
Instruction ID: 6db67df9cf155beb99995668c36603b307890f230f88d77178add9ad01f35c52
Opcode Fuzzy Hash: 9108faa47032647dbbf3373e1363a1aa42a01a3f905a45aa17ab3dff672c65b6
Instruction Fuzzy Hash: A6515D349051258FDB29CF08C4A0BA5B7B1FF49709F1A95DEC98A6B361EB31AD45CF80

Function 00E57D00 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E57DBE

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 365e402604e17aeb270c654bc910ce1873e111d4f9b8c8512d2125bcf6925df0
Instruction ID: e4cfd204d5a2678304dc494f3837c80ee7d7d639478a6a863c2584eb06bf461a
Opcode Fuzzy Hash: 365e402604e17aeb270c654bc910ce1873e111d4f9b8c8512d2125bcf6925df0
Instruction Fuzzy Hash: 98516B34A052258FDB29CF04C4A0BA5B7B1FF49709F1A55DEC98A6B351DB31AD45CF80

Function 00E56390 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E56446

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: a3870ce17df2e2ddc0515a962fdffb51c44dba0811bc97de96b9dd29fcc14448
Instruction ID: 7541b8dcbddf8fbb25f3277009a478a3554c212e3d822bbec7b84ef5cea6613e
Opcode Fuzzy Hash: a3870ce17df2e2ddc0515a962fdffb51c44dba0811bc97de96b9dd29fcc14448
Instruction Fuzzy Hash: AF515C34A012258FDB28CF08C4A0B79B7B1FF49709F1A95DEC95A6B352DB31AD45CB80

Function 00E55E00 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 00E55EB7

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 36726b5435061ce296d9d789d77b631582cfec22cbac6e2e363a3b41982e9e6a
Instruction ID: c6ddfd647aee1bbc7e45c51082fe2867706a256757d4dfb161f9a646354c3643
Opcode Fuzzy Hash: 36726b5435061ce296d9d789d77b631582cfec22cbac6e2e363a3b41982e9e6a
Instruction Fuzzy Hash: AB517A35A005258FDB29CF08C4A0BA5B7B1FF49709F1A95DEC84A6B312DB31AE45CF80

Function 00E82710 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 01def42dd6ca1105f64d7c652b82dd057e89b74811c95c3d8bcef13947a58aae
Instruction ID: 0b1d335a5b7caf5f6579115c34d6af1b37c8508cfafb34ee706fa9bf5f4b38b4
Opcode Fuzzy Hash: 01def42dd6ca1105f64d7c652b82dd057e89b74811c95c3d8bcef13947a58aae
Instruction Fuzzy Hash: 0822EFB1A083418FC714EF18D48036AFBE1FF88354F54596EEA9EA7381E735D9458B82

Function 00E4A7B0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a6f33583e4855e455d30f219b2aa449d9c1ca3f6d6f40a1d767f5497d444547f
Instruction ID: 4069fd479909d88c53f5a804913066f1ff8ad26b52b207e4c14335e3f2b46011
Opcode Fuzzy Hash: a6f33583e4855e455d30f219b2aa449d9c1ca3f6d6f40a1d767f5497d444547f
Instruction Fuzzy Hash: C3A18F71A0424A8FCB09CF68E4806ADFBF1FF99310F5992A9E845FB345D730A841CB91

Function 00E49D80 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 976b439138cae4aff959418f3a7e28305ee8c5c0296ec256efeb98879b84d72e
Instruction ID: a6ed0da940d3a7414e56ce10e1256ac806d86e329481a3757c36b43714b8a46d
Opcode Fuzzy Hash: 976b439138cae4aff959418f3a7e28305ee8c5c0296ec256efeb98879b84d72e
Instruction Fuzzy Hash: 97512D72E0051A9FCB04CFA9D980AAEB7F5FB48310F55926AE815F7741E731AD10CB94

Function 00E4D7C0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bc4413aa54db0751eae914992ab68d472a66c5de46c0ce382f3ee32c2b4c9ab2
Instruction ID: 7d98f8a0ae296f0345e7a10ab75207d7eb2ced08b442200ec1885e21af452d3b
Opcode Fuzzy Hash: bc4413aa54db0751eae914992ab68d472a66c5de46c0ce382f3ee32c2b4c9ab2
Instruction Fuzzy Hash: 7671BFB5E002189FCB48CFA9D9856ADFBF1FF4C310B1581AAE819E7305D734AA518F94

Function 00E565C7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cd6d70b484a2e5ff47d394f83d7b7b2b14b3a3b505d54de5a58e292943b035
Instruction ID: 0c851d4ee713caf2418538201c199cca556c1ec5118760ab00bde92c918c2e58
Opcode Fuzzy Hash: 92cd6d70b484a2e5ff47d394f83d7b7b2b14b3a3b505d54de5a58e292943b035
Instruction Fuzzy Hash: 3E2189386045118FCB28CF08C8A0E65B3B2FF95309F5995DDC8496B362DB32AD4ACB80

Function 00E4EDA0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 00E765E0 Relevance: 28.9, APIs: 23, Instructions: 180COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E76658
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000088,00000000), ref: 00E7667A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E76690
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E766B8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?), ref: 00E76758
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00E7676E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000), ref: 00E7678A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?), ref: 00E767CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 00E767E0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E767F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 00E7680C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?), ref: 00E76822
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00E76838
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E7684E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E76864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E7687A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E76890
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E768A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E768BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 00E768D2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E768E8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E76909
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000D30), ref: 00E76935

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 2cb89759e26d0888ecdc510e48b2a8a87ad25f3b84b4cd88a4214346ccffda09
Instruction ID: 7e485f2aa18264ef7eab8800c31b7c2270924a57864c551cdda3e7abda451dc4
Opcode Fuzzy Hash: 2cb89759e26d0888ecdc510e48b2a8a87ad25f3b84b4cd88a4214346ccffda09
Instruction Fuzzy Hash: 2A812C70601A02BFEB496FB5EC49BD9FBA5FF04309F005216F52C651A2CB766068DBE1

Function 00E8CD90 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 346COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CDE3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CE7B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CE9E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CEB1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CEEF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CF4D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CF74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CF87
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8CFD9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8D0EB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8D0F7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8D11D
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 00E8D214

Strings

%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 00E8D1FE
** Resuming transfer from byte position %lld, xrefs: 00E8CE0E
%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 00E8CE21

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$fflush
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %lld
API String ID: 1893817590-1872798829
Opcode ID: 54caa27b5828a995c160e64cbe2a6835ea067bb90953e0d78ad24f49b803acf9
Instruction ID: 1bb2a29eb919115680338f471214d470efc97332daa91179c34b2756ce5295f1
Opcode Fuzzy Hash: 54caa27b5828a995c160e64cbe2a6835ea067bb90953e0d78ad24f49b803acf9
Instruction Fuzzy Hash: 0ED16F75A08705AFD321AB64CC81FABB7EAFF88304F10691DFA9DA2251D735B8018F51

Function 00E7FFC0 Relevance: 26.4, APIs: 5, Strings: 10, Instructions: 184COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk.,?,000006E0), ref: 00E8003D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000088), ref: 00E8019C
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 00E801CC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000006E0), ref: 00E801DA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000088), ref: 00E80202

Strings

%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d, xrefs: 00E8017F
# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00E80038
,O, xrefs: 00E800D3
|X, xrefs: 00E8012D
xX, xrefs: 00E80134
|X, xrefs: 00E80102
(O, xrefs: 00E800DB
(O, xrefs: 00E800B5
,O, xrefs: 00E800B0
xX, xrefs: 00E80109

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: fclose$_unlinkfputsfree
String ID: # Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk.$%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d$(O$(O$,O$,O$xX$xX$|X$|X
API String ID: 549198444-664595106
Opcode ID: 602c0cf03fdd60062d921888df92ae555307feb1377598d690df6078eeff3b7b
Instruction ID: 6e778fce0a459e632720c83ec2a2f1f910b1c28f207efa86bee39ea52f758a04
Opcode Fuzzy Hash: 602c0cf03fdd60062d921888df92ae555307feb1377598d690df6078eeff3b7b
Instruction Fuzzy Hash: D961C1B2605300AFDB109F94DD45A2BB7E5FF84358F00292DF99EE2211E732E959CB52

Function 00E6E6F0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000088,00000088,?,?,?,?,?,?,?,?,?,?,00E70088,?), ref: 00E6E763
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.,?,?,?,00000088,00000088,?), ref: 00E6E7A2
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,00000088,00000088,?), ref: 00E6E7C1
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000004,00E6E9D0,?,?,?,?,?,?,00000088,00000088,?), ref: 00E6E7FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,%s,00000000,?,?,?,?,?,?,?,?,?,?,?,00000088), ref: 00E6E831
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000088,00000088,?), ref: 00E6E844
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00E6E85E

Strings

# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00E6E79D
%s, xrefs: 00E6E822

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$__acrt_iob_funccallocfclosefputsqsort
String ID: # Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s
API String ID: 935424440-959389649
Opcode ID: f86661c8dcb88e1757e095ff8fb084a70a07c126cc4b731b2a8a76f0dd7e4d7a
Instruction ID: e31e057c176d9a93443e0050e82e75061ab8f6f1801d9d6c6e58ddc2d51c7f6c
Opcode Fuzzy Hash: f86661c8dcb88e1757e095ff8fb084a70a07c126cc4b731b2a8a76f0dd7e4d7a
Instruction Fuzzy Hash: F951F375A443005FD7109F68FC45BAB7B98EF41388F081479FC4AA7392E632E91D87A2

Function 00E21230 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 110COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00ED16D4,?), ref: 00E21317
Concurrency::cancel_current_task.LIBCPMT ref: 00E2134C
GetModuleHandleW.KERNEL32(00000000), ref: 00E21368

Strings

Radare2, xrefs: 00E21278
OllyDbg, xrefs: 00E2127F
OLLYDBG, xrefs: 00E2124D
Cheat Engine, xrefs: 00E21271
x64dbg, xrefs: 00E2126A
x32dbg, xrefs: 00E21294
Cutter, xrefs: 00E21286
WinDbgFrameClass, xrefs: 00E21256
PEExplorer, xrefs: 00E2128D
Ghidra, xrefs: 00E21263

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskHandleModulememmove
String ID: Cheat user$Cutter$Ghidra$OLLYDBG$OllyDbg$PEExplorer$Radare2$WinDbgFrameClass$x32dbg$x64dbg
API String ID: 4272886007-698559490
Opcode ID: 9f2d1eaff4d5fb2e4ddbf0f9d307837b1898069abdd1e3b0b8e17dd97af960cc
Instruction ID: c0116132291514c7aa0d1c61319065b7fdec1e6984c9b83bf45ce30c8a59efa9
Opcode Fuzzy Hash: 9f2d1eaff4d5fb2e4ddbf0f9d307837b1898069abdd1e3b0b8e17dd97af960cc
Instruction Fuzzy Hash: 513195B5D0021CEFCB10DFA4F8455DEBBB4EB55344F4011AAE815B7361E7719A0ACB91

Function 00E77600 Relevance: 22.6, APIs: 18, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 00E7B110: free.API-MS-WIN-CRT-HEAP-L1-1-0(BE83378B,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E7B154

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,-00000050,00000070,00000040,00000028,00E72EB8,00E72EB8,Closing connection,00E72EB8,00000000,00000000,00000000,?,?,00000088), ref: 00E7764F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E77666
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E7767D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E77694
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000070,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E776A7
free.API-MS-WIN-CRT-HEAP-L1-1-0(-00000050,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E776B5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E776CB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E776E1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E776F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E7770D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E77723
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000028,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00E77735
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040), ref: 00E77747
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E77757
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E77767
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E7777A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 00E77796
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E777A7

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 663fea82984da4475ec072a5c904320006e88a3c73a20509d88b5db45405c861
Instruction ID: 1200ccf7b9aec470f59996a63a87db5c2cc7b141c75f5c9293cd0eb073e5cd45
Opcode Fuzzy Hash: 663fea82984da4475ec072a5c904320006e88a3c73a20509d88b5db45405c861
Instruction Fuzzy Hash: E041E575005700EFDB516FA1EC48BCABBB5FF49316F004409FA8E6A262CB766458DFA1

Function 00EB0760 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo), ref: 00EB078E
GetProcAddress.KERNEL32(00000000), ref: 00EB0795
memset.VCRUNTIME140(?,00000000,0000010C,00000000), ref: 00EB07FC
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 00EB0861
VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 00EB086B
VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00EB0888
VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00EB0894
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 00EB08BC
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 00EB0949

Strings

ntdll, xrefs: 00EB0789
RtlVerifyVersionInfo, xrefs: 00EB0784
D?w, xrefs: 00EB079B, 00EB089B, 00EB0914

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProcmemset
String ID: D?w$RtlVerifyVersionInfo$ntdll
API String ID: 2720349688-3637026075
Opcode ID: e136b9c63e7b193f864666c3ff32652ba2b78355da6d7324abaac58eefcdfbd6
Instruction ID: fa914e48e155f973f2160f77615bfe34399e6e8324c2b3f672b6a5808a9ab011
Opcode Fuzzy Hash: e136b9c63e7b193f864666c3ff32652ba2b78355da6d7324abaac58eefcdfbd6
Instruction Fuzzy Hash: 67513871609341AFE7209B65DC46FEFBBD8AFC9304F04441EF589B32A1C675A844CB52

Function 00E80E80 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,?,00000000,000006DC,?,00000088), ref: 00E80F13
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00E80FD8
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 00E81005
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000006DC,?,00000088), ref: 00E81013

Strings

unlimited, xrefs: 00E80F4E
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00E80FBB
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00E80F0E
%s%s "%s", xrefs: 00E80F5F
%d%02d%02d %02d:%02d:%02d, xrefs: 00E810F6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _unlinkfclosefputsfree
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$unlimited
API String ID: 820369455-2451391588
Opcode ID: 35cc2996320fcbe65a4f6bd461caaf42baf086bd6aa825f2f81a2f38260b0988
Instruction ID: 25a4556c58b62430dc18ac8bf8b116a67b088eea00dfb2bac4c781bc4ecaf51d
Opcode Fuzzy Hash: 35cc2996320fcbe65a4f6bd461caaf42baf086bd6aa825f2f81a2f38260b0988
Instruction Fuzzy Hash: 9281D071608301AFDB20EF64CC81A6BB7E8FF88314F04596DF95DA3251E732E8458B92

Function 00E8E700 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,00EC77C4,?,00000088,?,754B6BF0), ref: 00E8E748
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,754B6BF0), ref: 00E8E764
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 00E8E76E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00E8E79A

Part of subcall function 00E8F990: BCryptGenRandom.BCRYPT(00000000,?), ref: 00E8F9E0

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,%s%s.tmp,00000000,?), ref: 00E8E86F
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,00EC77C4), ref: 00E8E8A8
_close.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00E8E8BC
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 00E8E8C3
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,754B6BF0), ref: 00E8E8DE

Strings

%s%s.tmp, xrefs: 00E8E862

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$CryptRandom_close_fdopen_fileno_fstat64_unlinkfclosefopen
String ID: %s%s.tmp
API String ID: 2683694328-1935936288
Opcode ID: a0331abaf5085fd642d127dfafc78276db6651c8bc283cc2f89bb97f15344202
Instruction ID: fce1069e890c8dbed78fb2dcb2abbc5ce95d82e25318c777f23e308bffc2eeaa
Opcode Fuzzy Hash: a0331abaf5085fd642d127dfafc78276db6651c8bc283cc2f89bb97f15344202
Instruction Fuzzy Hash: C451E331A043049FD724AB64DC45BAF77E8AF45348F081979F88DF3382E63699198B92

Function 00E4D4B0 Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000040,?,00000020), ref: 00E4D4E7
memset.VCRUNTIME140(?,00000036,00000040,?,00000020), ref: 00E4D4F7
memset.VCRUNTIME140(?,0000005C,00000040,?,?,?,?,00000020), ref: 00E4D50A
memmove.VCRUNTIME140(?,?,00000040,?,?,?,?,?,?,?,00000020), ref: 00E4D5C8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000050,?,?,?,?,?,?,?,?,?,?,00000020), ref: 00E4D617
memmove.VCRUNTIME140(00000040,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 00E4D64C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000020), ref: 00E4D66D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000060), ref: 00E4D674
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000020), ref: 00E4D6CD
memmove.VCRUNTIME140(?,?,00E33B6D), ref: 00E4D6ED

Strings

gj, xrefs: 00E4D539

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset$freemalloc
String ID: gj
API String ID: 1323586892-4203073231
Opcode ID: 4fe5448e673f093cc101afba28b91ef137db83da51bc07b231e9478b7932e5b5
Instruction ID: 0b9e5db86ae43454a4b21bf18037f56af1cfe7ac4ffec5bdd11bc76f8449cea8
Opcode Fuzzy Hash: 4fe5448e673f093cc101afba28b91ef137db83da51bc07b231e9478b7932e5b5
Instruction Fuzzy Hash: ED61B371D0475C97DB219F68DD05BEAB3B4BF69304F04A2A5E94CB6112FB706AD88B40

Function 00E42BA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 411COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000078,8E857614,?,?), ref: 00E42C07
__std_exception_destroy.VCRUNTIME140(?,?), ref: 00E42D7C
__std_exception_destroy.VCRUNTIME140(?), ref: 00E42D92
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E42E16
__std_exception_destroy.VCRUNTIME140(?,?,?,?), ref: 00E42FE1
__std_exception_destroy.VCRUNTIME140(?), ref: 00E42FF7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E43081
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,8E857614,?,?), ref: 00E4316A

Strings

value, xrefs: 00E42C99, 00E42EF2

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$_invalid_parameter_noinfo_noreturn$memset
String ID: value
API String ID: 2005958071-494360628
Opcode ID: d8bf861103e489876ef70bc37091e52b968d55c4b52ac5806b9f8402e0ad93bb
Instruction ID: 2226c7127d57a1c834e058666d5d576b1656539b835ff2f48f65b6094034297f
Opcode Fuzzy Hash: d8bf861103e489876ef70bc37091e52b968d55c4b52ac5806b9f8402e0ad93bb
Instruction Fuzzy Hash: D1F1BD71D002588BDB28DB28DC85BEEBBB5AF45300F1482E9E559B7682DB706F84CF51

Function 00E74180 Relevance: 15.0, APIs: 12, Instructions: 41COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00E74AF6,00000020,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E74187
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E74196
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E741A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E741B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E741C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E741D6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E741E6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E741F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E74206
free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000A,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E74216
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E74226
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,00E76674,00000000,00000088,00000000), ref: 00E74236

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 93f62576fa83250ca4057e6866e5715f29c8c225718473959cd58effe739e8ba
Instruction ID: 371dbac16eec0c364cc8babc3b348fb9ebd04f080133040bfc800a634c265165
Opcode Fuzzy Hash: 93f62576fa83250ca4057e6866e5715f29c8c225718473959cd58effe739e8ba
Instruction Fuzzy Hash: AC110D75005B00EFDB615FA2FC08786BBF1FF08316F004A09E99E55AA1C776A09C9FA1

Function 00E4DF60 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000060,8E857614,00000000,00000000), ref: 00E4DFE4

Part of subcall function 00E31060: GetProcessHeap.KERNEL32(00E4E00A,8E857614,00000000,00000000), ref: 00E310A1

GetCurrentProcess.KERNEL32 ref: 00E4E085
OpenProcessToken.ADVAPI32(00000000,00020008,?), ref: 00E4E098
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00ED15B4), ref: 00E4E143
UnloadUserProfile.USERENV(00000000,00000000,none,00000004), ref: 00E4E16E
CloseHandle.KERNEL32(00000000,none,00000004), ref: 00E4E183

Part of subcall function 00E4E760: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,8E857614,?,?,?,?,80070057,?), ref: 00E4E7A8
Part of subcall function 00E4E760: GetLastError.KERNEL32(?,?,?,?,80070057,?), ref: 00E4E7AE
Part of subcall function 00E4E760: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000008,?,?,?,?,80070057,?), ref: 00E4E830
Part of subcall function 00E4E760: IsValidSid.ADVAPI32(?), ref: 00E4E875
Part of subcall function 00E4E760: GetLengthSid.ADVAPI32(?), ref: 00E4E884
Part of subcall function 00E4E760: CopySid.ADVAPI32(00000000,00000000,?), ref: 00E4E899
Part of subcall function 00E4E760: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,80070057,?), ref: 00E4E8C3

Part of subcall function 00E4DDA0: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 00E4DDEB
Part of subcall function 00E4DDA0: LocalFree.KERNEL32(?,?), ref: 00E4DE02

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,80004005,8E857614,00000000,00000000), ref: 00E4E1FA

Strings

none, xrefs: 00E4E1C7

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ProcessTokenfree$Information$CloseConvertCopyCurrentErrorFreeHandleHeapLastLengthLocalOpenProfileStringUnloadUserValidmemset
String ID: none
API String ID: 793324379-2140143823
Opcode ID: d552b454d676eea8fac62a89bfcf909769314ef8f4bf5e7ad20d5daa85b0a9d8
Instruction ID: 771a5c961f0c0cf7e5dded3ba655d3251d347e329e5b1aeaab2acf2fa80687b9
Opcode Fuzzy Hash: d552b454d676eea8fac62a89bfcf909769314ef8f4bf5e7ad20d5daa85b0a9d8
Instruction Fuzzy Hash: FE719970A002499BDB14DFA4DD49BEEBBF4BF45304F1482ADE505B7381DB75AA48CBA0

Function 00E8E620 Relevance: 13.6, APIs: 9, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 00E6ED50: QueryPerformanceCounter.KERNEL32(754B6BF0,754B6BF0,?,?,754B6BF0), ref: 00E6ED63
Part of subcall function 00E6ED50: __alldvrm.LIBCMT ref: 00E6ED7D
Part of subcall function 00E6ED50: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E6EDA4

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,?,754B6BF0), ref: 00E8E643
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 00E8E64B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00E8E65C
Sleep.KERNEL32(00000001), ref: 00E8E6A9
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 00E8E6AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E8E6C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E8E6CA

Part of subcall function 00E6ED50: GetTickCount.KERNEL32 ref: 00E6EDC1

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E8E6E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E8E6EE

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 2436438912-0
Opcode ID: 0c5055e6f58f3c4feb43c00f62a250b1020fc015266f6a1d9414189cef5f0b02
Instruction ID: 977df82bed23c77b2d967ce2b07b30996d1dadde3ff8f63e30232e0e99700869
Opcode Fuzzy Hash: 0c5055e6f58f3c4feb43c00f62a250b1020fc015266f6a1d9414189cef5f0b02
Instruction Fuzzy Hash: B1212B31D003145BE2213725AC81ABF7764EF96798F081134FD0C73352FA1AE99953E6

Function 00E389EE Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 396COMMON

Download Yara Rule

APIs

Part of subcall function 00E41600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,00F260AC), ref: 00E417BF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,CDCED9D8,?,00000001,00000000,?,message,success), ref: 00E38B27

Part of subcall function 00E3A460: strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000010,?,00000002,8E857614,1FFFB800), ref: 00E3A550

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,?,?,?,?,CDCED9D8,?,00000001,00000000,?,message,success), ref: 00E38C67
memmove.VCRUNTIME140(?,?,?,?,00000000,?,?,?,?,?,?,?,?,CDCED9D8,?,00000001), ref: 00E38D0C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,CDCED9D8,?,00000001,00000000,?,message,success), ref: 00E38EA3

Strings

message, xrefs: 00E38A25
success, xrefs: 00E38A12
!, xrefs: 00E38CA1

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmovestrtol
String ID: !$message$success
API String ID: 43302329-2055558241
Opcode ID: d8d0ed7e6693c3ffffe1c662fa33d5c68d6a06880c96b3948a1a0b418d7630ee
Instruction ID: 472888566b75a5d6ffe8929015439b134f16f8966e28f9ae095bb4bd0cdd0a78
Opcode Fuzzy Hash: d8d0ed7e6693c3ffffe1c662fa33d5c68d6a06880c96b3948a1a0b418d7630ee
Instruction Fuzzy Hash: D7F10F709002188FDB18DB24DD98BEDBBB1AF41304F2492D9F04ABB692CB749EC4DB51

Function 00E48033 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 00E48881
__std_exception_destroy.VCRUNTIME140(?), ref: 00E48897
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E4891F
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 00E48A02
__std_exception_destroy.VCRUNTIME140(?), ref: 00E48A18

Strings

object key, xrefs: 00E48931
object separator, xrefs: 00E487B0

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID: object key$object separator
API String ID: 2506729964-2279923633
Opcode ID: a6e03fce831d36427a7d7fbe25ac6878aa3a3e100b0f287ba63a094020444990
Instruction ID: cd282a07deb00e3865a28c98a0d52ca347db49651a7e0d28d660ef90cfcbf7da
Opcode Fuzzy Hash: a6e03fce831d36427a7d7fbe25ac6878aa3a3e100b0f287ba63a094020444990
Instruction Fuzzy Hash: F5E1D370D002188FDB18CF68ED94BEEB7B5BF45304F1096A9E50AF7681DB74AA84CB51

Function 00EA6140 Relevance: 12.5, APIs: 10, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00EA4E8F,?,?,00E79FA0,?), ref: 00EA6147
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA6150
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA6159
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA6162
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00EA616B
free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000F), ref: 00EA6174
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA617D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA6186
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA618F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EA6198

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: dc9b1ea63b5f5a028c46fd43725c6b5bfbd45df5dfb43085e0c79b2fc732cd99
Instruction ID: 83b0b47f0dd2c86277019b34e3cfc78bb4c1aaa9b3fd8dba0aeb023cdf0f9f16
Opcode Fuzzy Hash: dc9b1ea63b5f5a028c46fd43725c6b5bfbd45df5dfb43085e0c79b2fc732cd99
Instruction Fuzzy Hash: 02F09432012610EFCB211F66FD098C57BB5FF086117104916F99A654B2C73358AD9B81

Function 00E49299 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

Part of subcall function 00E2FB40: memmove.VCRUNTIME140(?,parse error,0000000B,00000000), ref: 00E2FC20

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E4891F
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 00E48A02
__std_exception_destroy.VCRUNTIME140(?), ref: 00E48A18
__std_exception_destroy.VCRUNTIME140 ref: 00E49376
__std_exception_destroy.VCRUNTIME140(?), ref: 00E4938C

Strings

object key, xrefs: 00E48931
value, xrefs: 00E492A5

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$memmove$_invalid_parameter_noinfo_noreturn
String ID: object key$value
API String ID: 2901057578-3662756203
Opcode ID: 653bfa746f1f1a49a1431924494c2e7bc38519ff7599c0fdef70aac326a6d3ee
Instruction ID: e90908017d9d344bfc5b7da7f129f782a18bdb57c734c7b8d936cc4dea455e3e
Opcode Fuzzy Hash: 653bfa746f1f1a49a1431924494c2e7bc38519ff7599c0fdef70aac326a6d3ee
Instruction Fuzzy Hash: ED71F771D0022C8BDB18DB64ED98BDEBBB5BF45304F148299E149B7682DB706B84CF51

Function 00E47C5C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

Part of subcall function 00E2FB40: memmove.VCRUNTIME140(?,parse error,0000000B,00000000), ref: 00E2FC20

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E472C0
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 00E473A3
__std_exception_destroy.VCRUNTIME140(?), ref: 00E473B9
__std_exception_destroy.VCRUNTIME140 ref: 00E47D39
__std_exception_destroy.VCRUNTIME140(?), ref: 00E47D4F

Strings

object key, xrefs: 00E472D2
value, xrefs: 00E47C68

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$memmove$_invalid_parameter_noinfo_noreturn
String ID: object key$value
API String ID: 2901057578-3662756203
Opcode ID: 4892f982dd966ef3970cb0e7fdb87c6fd11418b29bd94f5efe2762e4ee14c8a0
Instruction ID: 8b983191c9af8e1aa6fbbaae988e57ff80ac7b41523b55a07e239b078e118ad4
Opcode Fuzzy Hash: 4892f982dd966ef3970cb0e7fdb87c6fd11418b29bd94f5efe2762e4ee14c8a0
Instruction Fuzzy Hash: 2171D3B1D003188FEB24DB64DD99BDEBBB4EF05304F108299E449B7682D7B56A84CF91

Function 00E2E320 Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFF,?,?,?,?), ref: 00E2E3FC
memmove.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,?,?,?), ref: 00E2E40A
memmove.VCRUNTIME140(?,?,?,?,?,?,00000000,7FFFFFFF,?,?,?,?), ref: 00E2E41E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?), ref: 00E2E45B
memmove.VCRUNTIME140(00000000,?,?,?,?,?), ref: 00E2E463
memmove.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,?,?,?,?), ref: 00E2E46F
memmove.VCRUNTIME140(?,?,?,7FFFFFFF,?,?,00000000,?,?,?,?,?), ref: 00E2E483

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E2E49D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 4d26ecf71acff4d579b3e26ab5de6e0e20db1098d46ec4332f43c33de56d2aa9
Instruction ID: 04526203856f62989c6822d74bc0e138b94d699c9424585e4762949b7c369f5f
Opcode Fuzzy Hash: 4d26ecf71acff4d579b3e26ab5de6e0e20db1098d46ec4332f43c33de56d2aa9
Instruction Fuzzy Hash: 1041AD72E001299BCF15EF68E8819EEBBB5FF48301B141269E815B7355D730DE618B91

Function 00E4E760 Relevance: 12.2, APIs: 8, Instructions: 153COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,8E857614,?,?,?,?,80070057,?), ref: 00E4E7A8
GetLastError.KERNEL32(?,?,?,?,80070057,?), ref: 00E4E7AE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,80070057,?), ref: 00E4E7F9
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000008,?,?,?,?,80070057,?), ref: 00E4E830
IsValidSid.ADVAPI32(?), ref: 00E4E875
GetLengthSid.ADVAPI32(?), ref: 00E4E884
CopySid.ADVAPI32(00000000,00000000,?), ref: 00E4E899
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,80070057,?), ref: 00E4E8C3

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: InformationToken$CopyErrorLastLengthValidfreemalloc
String ID:
API String ID: 2357097940-0
Opcode ID: 9027822dae9f8b5a6f7ff8872f289ef88690fb0bc117dac234ad819fc8b4855b
Instruction ID: 93ff1c5c89c812e9f62bcf7a44e84ee52317271453372b0f1b499802c0d00bef
Opcode Fuzzy Hash: 9027822dae9f8b5a6f7ff8872f289ef88690fb0bc117dac234ad819fc8b4855b
Instruction Fuzzy Hash: 4951F671A00205AFDB14DF65EC8AFAEBBA8FF09304F185469E501B7352D731B958CB90

Function 00E4E510 Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E4E597
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E4E5A9
memmove.VCRUNTIME140(?,?,?,?,?), ref: 00E4E5C0
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 00E4E60D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfomemmove
String ID:
API String ID: 351588475-0
Opcode ID: c7fb5ffff226a146ad7dfb29e829e2e9947d8b1c133ddfcc1b03d078d1cb5c93
Instruction ID: 3b99ba2f8041e307957e976ecd278b1c6d2ad36860acdd7f0dad51bc66fdef56
Opcode Fuzzy Hash: c7fb5ffff226a146ad7dfb29e829e2e9947d8b1c133ddfcc1b03d078d1cb5c93
Instruction Fuzzy Hash: C4310876A00610CFCB24DF68EC49AAAB7A5FF95304F1156A9EC02F7354EA32AC018691

Function 00E2FB40 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

memmove.VCRUNTIME140(?,parse error,0000000B,00000000), ref: 00E2FC20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000002,00000000,00ECF9AC,00000002,?,?,?,0000000B,00000000,parse error,0000000B,00000000), ref: 00E2FECE
__std_exception_copy.VCRUNTIME140(?,0000000F,?,00000002,00000000,00ECF9AC,00000002,?,?,?,0000000B,00000000,parse error,0000000B,00000000), ref: 00E2FF20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E2FF5F

Strings

parse error, xrefs: 00E2FC1A, 00E2FC33
parse_error, xrefs: 00E2FBBF

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$__std_exception_copy
String ID: parse error$parse_error
API String ID: 2013804569-1820534363
Opcode ID: 7d9a8d886ccba0568c1209bb87fa12d5d67c4cf05f0cd41af87da2103a7f0055
Instruction ID: 925d3363eaeb994a6613eaf4b5b256a5de83bc5d20f4f6d49f9277ac38541e56
Opcode Fuzzy Hash: 7d9a8d886ccba0568c1209bb87fa12d5d67c4cf05f0cd41af87da2103a7f0055
Instruction Fuzzy Hash: FFD1E271D002588FDB18CF68ED85BADBBB1FF45304F248269F414BB692D770AA85CB91

Function 00E21E50 Relevance: 10.7, APIs: 7, Instructions: 212COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 00E21EE0

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: fgetc
String ID:
API String ID: 2807381905-0
Opcode ID: 2b417860b58452fae2f2a516bf6fb6b274c70ad4bb67fd63049ec8160b5378ac
Instruction ID: eb8de747736e5aaeafd71dc459b037268786c0b0287ade87b8a4a31135e31519
Opcode Fuzzy Hash: 2b417860b58452fae2f2a516bf6fb6b274c70ad4bb67fd63049ec8160b5378ac
Instruction Fuzzy Hash: 84918A71D00119DFCB14CFA8D894AAEBBB5FF48314F24826EE922B7291D731A945CF90

Function 00E43590 Relevance: 10.7, APIs: 7, Instructions: 182COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000001,?,00000001,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E43614
memmove.VCRUNTIME140(00000001,?,00000001,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E4365F
memmove.VCRUNTIME140(?,DCC8DA8D,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E43675
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E436F6
memmove.VCRUNTIME140(00000002,DCC8DA8D,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E43726
memmove.VCRUNTIME140(DCC8DA8D,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E43743
Concurrency::cancel_current_task.LIBCPMT ref: 00E4375B

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: a801447c2a14f6632dbcd8bec1f6925060009a0770f7990f8d3f0bdeea8d7dfc
Instruction ID: 3b1008657bcfa48214a8b9b3bf49833993bd303003f79ee0fcfa3175ca71aa0a
Opcode Fuzzy Hash: a801447c2a14f6632dbcd8bec1f6925060009a0770f7990f8d3f0bdeea8d7dfc
Instruction Fuzzy Hash: 9951A2B1A00206DBD724DF78E884AAAB7F4FF44304F2016AEE455A7641E731EA54CBA1

Function 00E3DE00 Relevance: 10.6, APIs: 7, Instructions: 113COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(8E857614,00000000,00000000), ref: 00E3DE3D
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 00E3DE5B
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 00E3DE85
?_Xbad_alloc@std@@YAXXZ.MSVCP140 ref: 00E3DEB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3DEE4

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

memmove.VCRUNTIME140(00000000,00E3B7BD,CC8BFFFF), ref: 00E3DEFA
Concurrency::cancel_current_task.LIBCPMT ref: 00E3DF3F

Part of subcall function 00E215F0: _CxxThrowException.VCRUNTIME140(?,00ED5D48,?,?,?,76230E50), ref: 00E21607
Part of subcall function 00E215F0: __std_exception_copy.VCRUNTIME140(?,00000000,?,?,?,00ED5D48,?,?,?,76230E50), ref: 00E2162E

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@Concurrency::cancel_current_taskD@std@@@1@_ExceptionThrowV?$basic_streambuf@Xbad_alloc@std@@__std_exception_copy_invalid_parameter_noinfo_noreturnmallocmemmove
String ID:
API String ID: 3583517682-0
Opcode ID: 8b174cecb0046a342fb5760a26c30427bc6df155a969011849650b62e9459492
Instruction ID: e7ada695712fe57c4683276d1798e609a1bbdbeeb18716fcafc1f01e14de4bb5
Opcode Fuzzy Hash: 8b174cecb0046a342fb5760a26c30427bc6df155a969011849650b62e9459492
Instruction Fuzzy Hash: 4841AFB5A00204DFCB10DF19D888B9ABBF8FF59314F1145AAE816AB391D775ED04CBA1

Function 00E6EB90 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000088,00000088), ref: 00E6EB97
free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000F,?), ref: 00E6EC44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6EC4D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E6EC56
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6EC5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6EC68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6EC6F

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$_time64
String ID:
API String ID: 3087401894-0
Opcode ID: b691751573ff90463cf43baa3bb40461fe5f60f1455bb8a2093ed9fb2b4fd2ac
Instruction ID: fbb0aea96e6835d8b827dcf33a6d03f33f07b52b78125d7bbebd531d0532fffe
Opcode Fuzzy Hash: b691751573ff90463cf43baa3bb40461fe5f60f1455bb8a2093ed9fb2b4fd2ac
Instruction Fuzzy Hash: D031B0755447408FCB24CF08F88499ABBE0FF94354F145A7DED9AAB3E1D731A8888B91

Function 00E6F570 Relevance: 10.6, APIs: 7, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,00E6A8B5,?), ref: 00E6F59B
CloseHandle.KERNEL32(?,?,000000FF,00000000,?,00E6A8B5,?), ref: 00E6F5A3
EnterCriticalSection.KERNEL32(?,000006DC,?,00000000,00000088,00E76784,00000000), ref: 00E6F6F0
LeaveCriticalSection.KERNEL32(?,?,00000000,00000088,00E76784,00000000), ref: 00E6F703
CloseHandle.KERNEL32(00000000,?,00000000,00000088,00E76784,00000000), ref: 00E6F714
closesocket.WS2_32(?), ref: 00E6F77E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000088,00E76784,00000000), ref: 00E6F78F

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWaitclosesocketfree
String ID:
API String ID: 768628753-0
Opcode ID: 3f8bf49f956907d725fbd914653476a16528a74d7efddb9f015432f376cabc78
Instruction ID: 15920c23ed9cf1fb8d12affbf72aee7940de0e70f0dc0d851a885bb71387de69
Opcode Fuzzy Hash: 3f8bf49f956907d725fbd914653476a16528a74d7efddb9f015432f376cabc78
Instruction Fuzzy Hash: EF21B0B6501601BFD7109F25FC48B96BBB8BF45395F080039E95AA3222C772FC64CB91

Function 00E79EE0 Relevance: 10.0, APIs: 8, Instructions: 32COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000088,00E766E3,00000000,00000088), ref: 00E79EEB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F01
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F17
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F2D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F43
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F59
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F6F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E79F85

Part of subcall function 00EA4E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00E79FA0,?), ref: 00EA4E90

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 9d273683b769940e985828c78eb92f360f0870c00e7764f3aa371490c3bb35fa
Instruction ID: 1bca6e944f47c757af1b20c8ce8a62aad8f097d51894ff8832282f0bc1ba952e
Opcode Fuzzy Hash: 9d273683b769940e985828c78eb92f360f0870c00e7764f3aa371490c3bb35fa
Instruction Fuzzy Hash: 00113379005B40AFEB665F61EC58BC6BBE1FB08306F100A09E9AE552A1CB76209C9B51

Function 00E44960 Relevance: 9.4, APIs: 6, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2580228974-0
Opcode ID: 790187881dea94abd528b8986a15acd12cf8fb9557d7c1aaf11d55d591c60667
Instruction ID: e7bc38842623a4f5f5d6da9901621b752baec1c6d7fbaec334eec7f4a1ab0088
Opcode Fuzzy Hash: 790187881dea94abd528b8986a15acd12cf8fb9557d7c1aaf11d55d591c60667
Instruction Fuzzy Hash: 4D12D2B4A04745CFC725CF64E480BAABBF1BF45308F245A9DD4526B792D332E906CBA1

Function 00E3D5EC Relevance: 9.2, APIs: 6, Instructions: 243COMMON

Download Yara Rule

APIs

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3D5EC
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3D5F8
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3D604
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3D838
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3D844
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,\Debug,?), ref: 00E3D963
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(7FFFFFFF,?,00000000,?,00000000,-00000002), ref: 00E3D9D8

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ios@??1?$basic_istream@$??1?$basic_ostream@??1?$basic_streambuf@_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2127113060-0
Opcode ID: 301f3e67c144e1f043c9bd8d90049ccbbc34ff5e978fdad41486b3e0d965880c
Instruction ID: 29d9f8d105b601f0d39129c9d8d3b3d21bdd549dc43d8517b6a72cb44f8067cd
Opcode Fuzzy Hash: 301f3e67c144e1f043c9bd8d90049ccbbc34ff5e978fdad41486b3e0d965880c
Instruction Fuzzy Hash: 7491D171A040148BDB1D9B28ECDC7ADBBB5EB85314F2492D8E419AB696CB749FC1CF40

Function 00E3EFA0 Relevance: 9.2, APIs: 6, Instructions: 192COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,0000026C,8E857614,00000000,00000000), ref: 00E3F044

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

memset.VCRUNTIME140(?,00000000,00000040), ref: 00E3F0E3
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 00E3F0EB
memset.VCRUNTIME140(?,00000000,00000200), ref: 00E3F134
memset.VCRUNTIME140(00000000,00000020,00000200), ref: 00E3F17D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,00000000,00000000), ref: 00E3F205

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnlocaleconvmalloc
String ID:
API String ID: 4120556116-0
Opcode ID: 24a32cc269ba446eb1c1391fbe8e4f5cff27e29dfaa0c640bc9d4c7d9fee9f20
Instruction ID: 3e537b3abd4e1caabdb674852e8de8cfbcca365d3a99926b8a95130b74bb709e
Opcode Fuzzy Hash: 24a32cc269ba446eb1c1391fbe8e4f5cff27e29dfaa0c640bc9d4c7d9fee9f20
Instruction Fuzzy Hash: 82818BB0D01318CFEB20DF64DC8979ABBB0AF45714F2442A9E449BB391DBB55A84CF91

Function 00E42820 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFF,?,00000000), ref: 00E428EF
memset.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,00000000), ref: 00E428FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000), ref: 00E42940
memmove.VCRUNTIME140(00000000,?,?,00000000), ref: 00E42948
memset.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,?,00000000), ref: 00E42954

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E42974

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 4119555314-0
Opcode ID: 9486a779f785252ac8a75347b0dffc03ff930351dff071909d60734429452a5f
Instruction ID: fbea82e2c0846cda7dd3339b5e9fb85c7cf25d5bc84f79bdacad3772d599e76b
Opcode Fuzzy Hash: 9486a779f785252ac8a75347b0dffc03ff930351dff071909d60734429452a5f
Instruction Fuzzy Hash: B541F372E001149BCB19DFA8E880AAEB7E5FF88310F5416ADFA15EB241D730DE519B91

Function 00E2DFC0 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 00E2E08E
memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 00E2E09C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 00E2E0DF
memmove.VCRUNTIME140(00000000,?,00000000,?,?), ref: 00E2E0E7
memmove.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,00000000,?,?), ref: 00E2E0F3

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E2E113

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 1196c6863a76703e45fb30fa46463227b3de36927499cd6f2b070dd6ad7c292e
Instruction ID: 6eba9ab7195358f0e01960b94ae643c6f1bf6a50ead1a6b29b38893cd1c76376
Opcode Fuzzy Hash: 1196c6863a76703e45fb30fa46463227b3de36927499cd6f2b070dd6ad7c292e
Instruction Fuzzy Hash: E341D072E001249BDB15EFACEC80AAEB7E5EF49300F1412A9E815F7301DB71DE129B91

Function 00E49620 Relevance: 9.1, APIs: 6, Instructions: 134COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,?,?), ref: 00E496EC
memmove.VCRUNTIME140(00000000,00000001,00000001,00000000,00000000,?,?), ref: 00E496FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?), ref: 00E49737
memmove.VCRUNTIME140(00000000,00000000,?,?), ref: 00E4973D
memmove.VCRUNTIME140(00000000,?,00000001,00000000,00000000,?,?), ref: 00E49747

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E49761

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: f45a1ab10a874ced6a2716c3cddd830f856f9a8adb7cee3641c84d9e00632f86
Instruction ID: db9f76a50583ee7d729599bfa427229ce373ff30b743da842b828a2ed22cad1b
Opcode Fuzzy Hash: f45a1ab10a874ced6a2716c3cddd830f856f9a8adb7cee3641c84d9e00632f86
Instruction Fuzzy Hash: DA410772E001149FDB14EF68EC849AFB7E5EB84350B2512BAE815F7216EB309E108B91

Function 00E3F840 Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?), ref: 00E3F882
memset.VCRUNTIME140(?,?,?), ref: 00E3F90F
Concurrency::cancel_current_task.LIBCPMT ref: 00E3F92E
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3F96F
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 00E3F977

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@memset$??1?$basic_ios@??1?$basic_istream@Concurrency::cancel_current_task
String ID:
API String ID: 915423947-0
Opcode ID: 3e16201fd3fd67fac837a63078c3c9dd818768c3118cdab44618d5bbb5c87bdd
Instruction ID: b836f3a58b5a982a5b9a1099f6517fb17c54ffeffeaa2e10af49cbf16a9bb3f2
Opcode Fuzzy Hash: 3e16201fd3fd67fac837a63078c3c9dd818768c3118cdab44618d5bbb5c87bdd
Instruction Fuzzy Hash: 0A415672A003049FD328DF68E888BAEBBE8EF95314F14027EF4569B342D7719A05C791

Function 00E4EAB0 Relevance: 9.1, APIs: 6, Instructions: 107COMMON

Download Yara Rule

APIs

_Query_perf_frequency.MSVCP140 ref: 00E4EABE
_Query_perf_counter.MSVCP140 ref: 00E4EACA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4EB0E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4EB41
__alldvrm.LIBCMT ref: 00E4EB58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E4EB7D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Query_perf_counterQuery_perf_frequency__alldvrm
String ID:
API String ID: 1339266948-0
Opcode ID: 5c3df0a7919e51b1e89edaaff5087089fae179c73c7ce1943bf71ff933476a0f
Instruction ID: 2ddbab061427266ba9d638ba2999276720613c59c626d5f65f45e22d57242462
Opcode Fuzzy Hash: 5c3df0a7919e51b1e89edaaff5087089fae179c73c7ce1943bf71ff933476a0f
Instruction Fuzzy Hash: FF218271A043187EEB289B699C85FBBBBFCEB84754F2041A9F909F7341E6706D004B64

Function 00E410E0 Relevance: 9.1, APIs: 6, Instructions: 101COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000001,?,00000040,8E857614,?,?,?,00E33106,?,00000001,00000000,?,?,?,?,?), ref: 00E41120
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,00E33106,?,00000001,00000000,?,?,?,?,?,?,00000000,?), ref: 00E4113D
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,?), ref: 00E41165
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,00E33106,?,00000001,00000000,?,?), ref: 00E411AA

Part of subcall function 00E226E0: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,8E857614,00000000,00ECF874,?,00EBCDA6,000000FF,?,00E411BE), ref: 00E22715
Part of subcall function 00E226E0: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,00EBCDA6,000000FF), ref: 00E22730
Part of subcall function 00E226E0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00EBCDA6,000000FF), ref: 00E2275B
Part of subcall function 00E226E0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,00EBCDA6,000000FF), ref: 00E2277E
Part of subcall function 00E226E0: std::_Facet_Register.LIBCPMT ref: 00E22797
Part of subcall function 00E226E0: ??1_Lockit@std@@QAE@XZ.MSVCP140(?,00EBCDA6,000000FF), ref: 00E227B2

?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,?,?,?,00E33106,?,00000001), ref: 00E411C2
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,?,?,?,?,00E33106,?,00000001), ref: 00E411DA

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: 98357a96f0eede094199c152c96360e9903eca4dda5427cc96981e736bf64c33
Instruction ID: 6a279d31c064d398795ce4c05a8f981110d0d80461063ec103d9952cdad9298d
Opcode Fuzzy Hash: 98357a96f0eede094199c152c96360e9903eca4dda5427cc96981e736bf64c33
Instruction Fuzzy Hash: 75416A74A007488FCB20CF69D848BABBBF4FB49314F00456EE916E7790DB75A905CB90

Function 00E226E0 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,8E857614,00000000,00ECF874,?,00EBCDA6,000000FF,?,00E411BE), ref: 00E22715
??Bid@locale@std@@QAEIXZ.MSVCP140(?,00EBCDA6,000000FF), ref: 00E22730
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,00EBCDA6,000000FF), ref: 00E2275B
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,00EBCDA6,000000FF), ref: 00E2277E
std::_Facet_Register.LIBCPMT ref: 00E22797
??1_Lockit@std@@QAE@XZ.MSVCP140(?,00EBCDA6,000000FF), ref: 00E227B2

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 3960873448-0
Opcode ID: e23a17eb7f7bc58037685f64f2fda786d0e2c44aea53496741e42c9aa58b81a4
Instruction ID: db13c66d09aac23700e6f5084100be4225775ab4e48a129edcec55bb19990bd9
Opcode Fuzzy Hash: e23a17eb7f7bc58037685f64f2fda786d0e2c44aea53496741e42c9aa58b81a4
Instruction Fuzzy Hash: B2319835D042299FCB10CF68E848AAEFBB0FB05724F1542AAE815B7261DB35AD05CBD0

Function 00E41390 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,8E857614,00E3AFF8,?,?,?,00000000,?,?,00E3AFF8,?,?), ref: 00E413C6
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,00000000,?), ref: 00E413E1
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,00000000,?), ref: 00E4140C
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,00000000,?), ref: 00E4142F
std::_Facet_Register.LIBCPMT ref: 00E41448
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,00000000,?), ref: 00E41463

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 295490909-0
Opcode ID: 39f73b4392f08005ca95825e436c069e7ea5e8ecf891b660acc91a45d757e965
Instruction ID: 9f3c8b639f43e20acbbc1b4f68e71c618a0cf0886d13057100203c6b87669e5f
Opcode Fuzzy Hash: 39f73b4392f08005ca95825e436c069e7ea5e8ecf891b660acc91a45d757e965
Instruction Fuzzy Hash: 49319A75D002198FCF25CF94E848AAEBBB0FB05764F04469AE821B7251D735AD45CBD0

Function 00E8D240 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8D320
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E8D40D

Strings

%7lldd, xrefs: 00E8D436
%2lld:%02lld:%02lld, xrefs: 00E8D36B
%3lldd %02lldh, xrefs: 00E8D419

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd
API String ID: 885266447-1743532675
Opcode ID: 6854f854c2afa6a06ac000231c65ec031f0bddfcc43e38b50e42d9fc33f1397d
Instruction ID: 808f3bc67c70f1b57cb5aebc9e12dc262eb77be4bd17252e0c64f4f588eb2491
Opcode Fuzzy Hash: 6854f854c2afa6a06ac000231c65ec031f0bddfcc43e38b50e42d9fc33f1397d
Instruction Fuzzy Hash: F1513372B083045BE308AE2C8C41B6EB7D9E7C8754F494A3DF85CE33A2E6B69D054781

Function 00E3B160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(ALLUSERSPROFILE,8E857614,00000000,?), ref: 00E3B1AF
___std_fs_convert_wide_to_narrow@20.LIBCPMT ref: 00E3B260
___std_fs_convert_wide_to_narrow@20.LIBCPMT ref: 00E3B28B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,?,?,00000000,?,00000000,00000000,?,00000000,00000000), ref: 00E3B2C0

Strings

ALLUSERSPROFILE, xrefs: 00E3B1A3

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ___std_fs_convert_wide_to_narrow@20$_invalid_parameter_noinfo_noreturngetenv
String ID: ALLUSERSPROFILE
API String ID: 2152966803-1909236125
Opcode ID: 750d431dbc929ba1f0e4b1138af03094fbc9f5a4b915a10e5fb303f7cc6f1cdf
Instruction ID: 6c0aba8f413276fc5bc3c30c1dc84899e328034985fa8442830c6759405fa2f6
Opcode Fuzzy Hash: 750d431dbc929ba1f0e4b1138af03094fbc9f5a4b915a10e5fb303f7cc6f1cdf
Instruction Fuzzy Hash: 57411170E002049BDB24DF68D849BAFBBF5EF85704F10462DE952B7391DB75AA44CBA0

Function 00E318E0 Relevance: 7.7, APIs: 5, Instructions: 235COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140(?), ref: 00E319CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E319EF
__std_exception_destroy.VCRUNTIME140(?), ref: 00E31AE7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E31AF2
__std_exception_copy.VCRUNTIME140(?,?,8E857614,?,?,?,00000000,00EBD563,000000FF), ref: 00E31B42

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID:
API String ID: 3884296093-0
Opcode ID: 87d844539d4c8a6e268ddc2643ecf072427b04a12b01139f7da1bb9d3bc7787e
Instruction ID: 991169235065c17f620e1144a409a0b9d0b7fa6167fd72f0a95363fb9c7c0c2e
Opcode Fuzzy Hash: 87d844539d4c8a6e268ddc2643ecf072427b04a12b01139f7da1bb9d3bc7787e
Instruction Fuzzy Hash: 6D8121B19006408FD328DF28DC98BAABBE9EF44314F144A5DE086E7E91E775FA44CB50

Function 00E2D9C0 Relevance: 7.7, APIs: 6, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?), ref: 00E2DA06
memmove.VCRUNTIME140(?,?,?), ref: 00E2DA37
memmove.VCRUNTIME140(?,?,?,?,?,?), ref: 00E2DA49
memmove.VCRUNTIME140(?,?,?), ref: 00E2DAC9
memmove.VCRUNTIME140(0000000F,?,?,?,?,?), ref: 00E2DAD5
memmove.VCRUNTIME140(0000000F,?,?,0000000F,?,?,?,?,?), ref: 00E2DAEC

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 75b90f57de89330d196d8308c89122bae3420953883efa01a3897ddf521cd6b3
Instruction ID: 89997fea9fb6702b88eb87769913b9c91c809baa9227cdfb20ead9849be7978c
Opcode Fuzzy Hash: 75b90f57de89330d196d8308c89122bae3420953883efa01a3897ddf521cd6b3
Instruction Fuzzy Hash: 42417FB2E04129ABCB14DFACDC81DAEBBB9FF44354B24556AE905E3301D3319E509BE0

Function 00E42430 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000000,8E857614,00000000,?,?,00E3B7F3,00EBED7D,000000FF,?,00E3DD9A,8E857614,00000000,?,?,?,00EBE890), ref: 00E4248A
?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,00E3B7F3,00EBED7D,000000FF,?,00E3DD9A,8E857614,00000000,?,?,?,00EBE890,000000FF), ref: 00E424AD
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,00E3B7F3,00EBED7D,000000FF,?,00E3DD9A,8E857614,00000000,?,?,?,00EBE890,000000FF), ref: 00E42520
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,00000000,?,?,00E3B7F3,00EBED7D,000000FF), ref: 00E42594
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,00E3B7F3,00EBED7D,000000FF,?,00E3DD9A,8E857614,00000000,?,?,?,00EBE890,000000FF), ref: 00E425EF

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
String ID:
API String ID: 481934583-0
Opcode ID: c6176f99084d0cc9da882068764814c1eef1969b9957aeee78bddaf5edd2c35d
Instruction ID: b0941ce90948d14d39f683ff05276d6180b75ad26bdaaa719b0f7f3a0d6a7f20
Opcode Fuzzy Hash: c6176f99084d0cc9da882068764814c1eef1969b9957aeee78bddaf5edd2c35d
Instruction Fuzzy Hash: D4619870A04245DFCB14CF59D494BAABBF1FF08308F1441ACEA16AB7A2C775E904CB51

Function 00E4A220 Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,?,00000030,?,00E4452B,?,?,?,00E467E0), ref: 00E4A2D7

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

memmove.VCRUNTIME140(00000000,?,00E4452B,?,00000030,?,00E4452B,?,?,?,00E467E0), ref: 00E4A2E6
memmove.VCRUNTIME140(?,00E4452B,?,00000000,?,00E4452B,?,00000030,?,00E4452B,?,?,?,00E467E0), ref: 00E4A2FC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000030,?,00E4452B,?,?,?,00E467E0), ref: 00E4A351
Concurrency::cancel_current_task.LIBCPMT ref: 00E4A35C

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: e7c96c9f4ceb6cbb73ef57cc65851b95199e7bb06082759a348c37db8faf2490
Instruction ID: 82efd3b4a002097608f59c741ddd3680897d264f2a2a1754622a2c5e356c537c
Opcode Fuzzy Hash: e7c96c9f4ceb6cbb73ef57cc65851b95199e7bb06082759a348c37db8faf2490
Instruction Fuzzy Hash: A441E171B405119FD704EF7CE8949AEB7E8EB483247285239E825E3351EB70EE008791

Function 00E4C050 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E4C11B
memmove.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E4C12A
memmove.VCRUNTIME140(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E4C140
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 00E4C197
Concurrency::cancel_current_task.LIBCPMT ref: 00E4C19D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 31b6231e7ae152454832e30b10e47be01bda564a72db968d5df325d072845320
Instruction ID: 7cb5979f4bbdd90b21b7012af75acbb23afb1dcd9661111801638fd3012fc4a4
Opcode Fuzzy Hash: 31b6231e7ae152454832e30b10e47be01bda564a72db968d5df325d072845320
Instruction Fuzzy Hash: 5B41D3B2A015019FD708DF78DC958AEB7B5EF48310B249639E816E3385E730EE51CB81

Function 00E464B0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,8E857614,?,?), ref: 00E4650E
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?), ref: 00E4654E
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?), ref: 00E46576
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?), ref: 00E46622

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 926534625-0
Opcode ID: ad73cebc1c013c342c3550becf30f4d19b087e3cb44da520351c5cec32d46445
Instruction ID: bb369139627f9077b4f8866a6717e74f92a18191cad7957f86d128456172039a
Opcode Fuzzy Hash: ad73cebc1c013c342c3550becf30f4d19b087e3cb44da520351c5cec32d46445
Instruction Fuzzy Hash: 5351CE34A04240CFCB14CF19D584BA9BBF1FF5A308F2485ADE406AB7A2C776AD05CB51

Function 00E3DC10 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(8E857614,00000000,7FFFFFFF), ref: 00E3DC5B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 00E3DC79
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 00E3DCA3
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 00E3DCB9
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,00E3C7AF,0000000A), ref: 00E3DCFB

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: 46a161a221ed7e7e047d0144391f670d0903469dd4cf6992fc9e7dba0e2ee53e
Instruction ID: 4fbe16cd8c0fe3fd521b1f8b5ab0a7fce9bba1c2989364410774ba0125ad7753
Opcode Fuzzy Hash: 46a161a221ed7e7e047d0144391f670d0903469dd4cf6992fc9e7dba0e2ee53e
Instruction Fuzzy Hash: CF316674A00345DFCB14CF49D988B5AFBF8FB49308F10816EE806A7791C7B2A905CB90

Function 00E63F3B Relevance: 7.6, APIs: 5, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140(?,00ED5D48,?,?,?,76230E50), ref: 00E21607
__std_exception_copy.VCRUNTIME140(?,00000000,?,?,?,00ED5D48,?,?,?,76230E50), ref: 00E2162E
_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F43
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50
_CxxThrowException.VCRUNTIME140(?,00ED5CAC,?), ref: 00E64ABF

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow$__std_exception_copy_callnewhmalloc
String ID:
API String ID: 3601187372-0
Opcode ID: f2040869db30936c275dd8199aea148d800f5db3373281544fd1f224347c8fed
Instruction ID: 98406b63cebb348e0489792df7c3aa94287fa8b3b0755294cdcabc53358741dd
Opcode Fuzzy Hash: f2040869db30936c275dd8199aea148d800f5db3373281544fd1f224347c8fed
Instruction Fuzzy Hash: 5C112171D4430D6BCB14ABB8EC02DDA77ACDE01790F2065A5F914F6082FB70EA5683D4

Function 00E929C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000001,00000000,754B7170,?,00000088,00E75CD5,CURL_SSL_BACKEND,00000000,754B7170,00E74947,00000000,00E76F50), ref: 00E929CB
GetEnvironmentVariableA.KERNEL32(?,00000000,00000001,00000000,00E76F50,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E929EA
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E92A08
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00E76F50,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E92A18
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E92A30

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: freerealloc$EnvironmentVariable
String ID:
API String ID: 4071857516-0
Opcode ID: a86570c720b642c7b56a5e16ff65657281b278a1755d2e4610fc5e14aca260f7
Instruction ID: 12e39b29ebd61b38e7e60589cad6adb1bfbe18fef6449a2b310c1c5ec7b2b184
Opcode Fuzzy Hash: a86570c720b642c7b56a5e16ff65657281b278a1755d2e4610fc5e14aca260f7
Instruction Fuzzy Hash: 46017137A021246F8E31279A7C489ABBB98DBC567770A007AFF09F3201DA675C1991E1

Function 00E6F7B0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,00E6F764,?,?,00000000,00000088,00E76784,00000000), ref: 00E6F7BD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00000088,00E76784,00000000), ref: 00E6F7C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E6F764,?,?,00000000,00000088,00E76784,00000000), ref: 00E6F7D2
closesocket.WS2_32(?), ref: 00E6F7F4
memset.VCRUNTIME140(?,00000000,00000090), ref: 00E6F802

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocketmemset
String ID:
API String ID: 1764800466-0
Opcode ID: f56b30b2c8548b0d1f0dafb7585887612fdc503b73afecfd9eadd7e852080c76
Instruction ID: c0469c7f7af88398e4ad60b3752274ae338e1116d0c72e56ae13c9a58cd7312c
Opcode Fuzzy Hash: f56b30b2c8548b0d1f0dafb7585887612fdc503b73afecfd9eadd7e852080c76
Instruction Fuzzy Hash: 29F05EB0900700AFD6205B69BC49E8737A8AF01758F041835F94BF22A2D732F859C691

Function 00E6DD40 Relevance: 7.5, APIs: 6, Instructions: 26COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000F,?,00000000,00E6E6B8,?,00000088,00000088), ref: 00E6DD55
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6DD5E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 00E6DD67
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6DD70
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6DD79
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E6DD80

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 4d5d2676bc5f16984a834bc88c7c8bd1d42c626cd725a583cd851aa3e39ab320
Instruction ID: b32557f99c5df03a58a7c325f33107958708c36d9fa6d447a2f094c553f45048
Opcode Fuzzy Hash: 4d5d2676bc5f16984a834bc88c7c8bd1d42c626cd725a583cd851aa3e39ab320
Instruction Fuzzy Hash: 46F01C32402610AFCB212F56FC0889A7BB1FF447553054559F95E7A172C732A89D9BD0

Function 00E40620 Relevance: 7.3, APIs: 3, Strings: 1, Instructions: 340COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 00E40749

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

_CxxThrowException.VCRUNTIME140(00000000,00000000,?,?,?), ref: 00E409F9
Concurrency::cancel_current_task.LIBCPMT ref: 00E409FE

Strings

m, xrefs: 00E40964, 00E4096E, 00E40985, 00E4093F, 00E40894, 00E4089E, 00E408B5

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskExceptionThrow_invalid_parameter_noinfo_noreturnmalloc
String ID: m
API String ID: 3455115287-2577643605
Opcode ID: d66e7801b2df12347df8a6431fa59cdca4720e22a3b2cba38708b76c6e282c96
Instruction ID: 1e0e6e67b1162e5c5d95d22179fac718179760788a45fe71079873d1fe76b27a
Opcode Fuzzy Hash: d66e7801b2df12347df8a6431fa59cdca4720e22a3b2cba38708b76c6e282c96
Instruction Fuzzy Hash: BFD146B1E002588FDB14DFA8D8846EEFBF1AF98314F24912AD955BB352D730A945CF90

Function 00E2F850 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002,00000000,00ECF9E8,00000002,?,?,?,00000001,00000000,00ECF9EC,00000001,?,?,[json.exception.,00000010,?), ref: 00E2FAB9
__std_exception_destroy.VCRUNTIME140(0000000F,?,?,8E857614,?,?), ref: 00E2FB01
__std_exception_destroy.VCRUNTIME140(?,?,8E857614,?,?), ref: 00E2FB11

Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 00E2E08E
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 00E2E09C

Part of subcall function 00E2DFC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 00E2E0DF
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,?,00000000,?,?), ref: 00E2E0E7
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,00000000,?,?), ref: 00E2E0F3

Strings

[json.exception., xrefs: 00E2F8C9

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$__std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: [json.exception.
API String ID: 1357646913-791563284
Opcode ID: 0c5f256a81c7b3822ab81c5c820e40878ca77c24cbdf9385b38eb5aeece82493
Instruction ID: 1f8f816fd074f13ab455fb488c2c0d13d7e0d15a6b2cf49328d346a1390ca6f9
Opcode Fuzzy Hash: 0c5f256a81c7b3822ab81c5c820e40878ca77c24cbdf9385b38eb5aeece82493
Instruction Fuzzy Hash: 8A910671D002489FDB08DFA8DD45BEEBBB5EF45304F24822DE414BB692D770AA85CB91

Function 00E2FF90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 234COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,, column ,00000009,?, at line ,00000009,?,?,?,?,?,?,8E857614,?,?), ref: 00E300E4

Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 00E2E08E
Part of subcall function 00E2DFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 00E2E09C

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00000009,00000000,, column ,00000009,?, at line ,00000009,?,?,?,?,?,?), ref: 00E30229

Strings

at line , xrefs: 00E3006E
, column , xrefs: 00E300C7

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 2580228974-191570568
Opcode ID: c78f8ee05acab88501193314fc5518fd72e5a63044a5eee627e1a04f455b903e
Instruction ID: 91bf02f2dffdc26f311c20130bee688b7ce7b6ad51554915edd2ff26fd93ec0c
Opcode Fuzzy Hash: c78f8ee05acab88501193314fc5518fd72e5a63044a5eee627e1a04f455b903e
Instruction Fuzzy Hash: A791D171E002488FDB18CFA8DC99BEEBBB5EF45304F248259E415BB392D7749A85CB50

Function 00E35440 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000001,00000001), ref: 00E35576
memmove.VCRUNTIME140(000000FF,?,00000000), ref: 00E35679
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,00000000), ref: 00E356BE

Strings

signature, xrefs: 00E35508

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn
String ID: signature
API String ID: 2580228974-2928148801
Opcode ID: c3c3c61cd92a45c621a580ad806ed713dbbda863ebb54284eff43fc897c8988c
Instruction ID: 2db1d5cf043bc009fb99016f3d4fd82bfb5e169c93d82b5f8d4b6e2291790da6
Opcode Fuzzy Hash: c3c3c61cd92a45c621a580ad806ed713dbbda863ebb54284eff43fc897c8988c
Instruction Fuzzy Hash: 6681C272D005089FCB18DFA8DC95BEEBBB5EF45304F249219E815BB385D730AA46CB91

Function 00E302E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 00E2E120: memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152

Part of subcall function 00E3F790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,00E324D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 00E3F7CF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E30412
__std_exception_copy.VCRUNTIME140(?,?), ref: 00E3045C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 00E30498

Strings

out_of_range, xrefs: 00E30331

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$__std_exception_copy
String ID: out_of_range
API String ID: 2013804569-3053435996
Opcode ID: 45c0958f4f8039baf9ca03393224365793e9eff6dfff78bbff21f928806f5615
Instruction ID: b92ebdba7bf704c9b36f9c60d335e0f6d3a508b568a969692a76be8731883f51
Opcode Fuzzy Hash: 45c0958f4f8039baf9ca03393224365793e9eff6dfff78bbff21f928806f5615
Instruction Fuzzy Hash: F451C471D002489FDB08DFA8DC95BADBBB4FF85314F148319E525BB681E774AA84CB90

Function 00E64C3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 00E64C7C
__current_exception_context.VCRUNTIME140 ref: 00E64C86
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E64C8D

Strings

csm, xrefs: 00E64C47

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 6e0cd085d4f968ffdaaa73632ad8b8aa1ce9f75291e59383da7947cc97b2dcb0
Instruction ID: 2006ab97966750920e450c33858ac00ad6d67bc039775aebeb7d31c038fbd8f1
Opcode Fuzzy Hash: 6e0cd085d4f968ffdaaa73632ad8b8aa1ce9f75291e59383da7947cc97b2dcb0
Instruction Fuzzy Hash: FBF027B10412058BDB305EA9A40444AFBADAE107A43642615E848EB764C730EE51C6D2

Function 00E30900 Relevance: 6.4, APIs: 5, Instructions: 172COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000030,?), ref: 00E30924
memmove.VCRUNTIME140(?), ref: 00E30954
memmove.VCRUNTIME140 ref: 00E3097B
memset.VCRUNTIME140(?,00000030), ref: 00E30990

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 3b26b7cd52328fb2d4af8e63db6303faed9bafb032100bbec1e8b9a1c558cbb0
Instruction ID: 0caa8529ebf844cb69f4b5b3874484d5e5c9292a66df0a90cdef86cbbccae081
Opcode Fuzzy Hash: 3b26b7cd52328fb2d4af8e63db6303faed9bafb032100bbec1e8b9a1c558cbb0
Instruction Fuzzy Hash: 0851F737A052069FD710CE6DD886BD6FB99EBD5310F5842BBD848D7342E262E919C390

Function 00E3F280 Relevance: 6.3, APIs: 4, Instructions: 292COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,00EBEA7D,000000FF), ref: 00E3F5CE
Concurrency::cancel_current_task.LIBCPMT ref: 00E3F61B
Concurrency::cancel_current_task.LIBCPMT ref: 00E3F625

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$memmove
String ID:
API String ID: 3458649463-0
Opcode ID: d2ba755b0d2aaf04c313ce2e8dd30c4920329dc15b03bbccf3a353a90170a1a4
Instruction ID: 6dcc2a99f2698694f7ad665cc5f4dbe2646414e6fb8855b0d4d22e87dda014a2
Opcode Fuzzy Hash: d2ba755b0d2aaf04c313ce2e8dd30c4920329dc15b03bbccf3a353a90170a1a4
Instruction Fuzzy Hash: DDC147B1D00259DFCB00CF68D49469EFBF0BF49314F2891AAE819AB352D775A946CF90

Function 00EB1E50 Relevance: 6.3, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB1E6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB1E8F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00EA8421,000002E0,00E72EB8,00E76AAE,00E72EB8,00000000,?,00000000,00E72EB8,00000000,00000000,00000000,?), ref: 00EB1EB1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB1EC1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB1ED8

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7e03b62c927bdee6296c74eed186386047ac5ff9917f13d7888d89e6b9f84bfb
Instruction ID: d86f0ef23c875301085a01bef0582aaff2747ace244fa360ab55f3c95f0cad2a
Opcode Fuzzy Hash: 7e03b62c927bdee6296c74eed186386047ac5ff9917f13d7888d89e6b9f84bfb
Instruction Fuzzy Hash: D611D3B0101B019FEB609F25ED48B47BBF4FF08309F405859E89AA6AA1C776F858DF51

Function 00E7F850 Relevance: 6.3, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(000006E0,000006E0,00000000,?,00000088,00E76711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 00E7F86D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00E76711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 00E7F876
free.API-MS-WIN-CRT-HEAP-L1-1-0(000006E0,?,00000088,00E76711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 00E7F87D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000088,00000000,?,00000088,00E76711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 00E7F88D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000088,?,00000088,00E76711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 00E7F894

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 7399856b057b3c8644dd1d06d79f1d3a605a7dc0243b2aad50761005bc17338c
Instruction ID: b28af62d3d6edb26188a834f1ee43bb7cacc1943140cd8605400b31ffc30aa24
Opcode Fuzzy Hash: 7399856b057b3c8644dd1d06d79f1d3a605a7dc0243b2aad50761005bc17338c
Instruction Fuzzy Hash: D4F05E36101200FFDB115F46FC48A8ABB79FF84325B148136FE1D6B222C732A9688B91

Function 00E315B0 Relevance: 6.3, APIs: 4, Instructions: 279COMMON

Download Yara Rule

APIs

Part of subcall function 00E639EA: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(00E41BB3,8E857614,?,00E34792), ref: 00E639EA

memmove.VCRUNTIME140(?,?,00000001), ref: 00E316DA
memmove.VCRUNTIME140(?,?,00000002), ref: 00E31746
memmove.VCRUNTIME140(?,?,00000000,00ECFAF4,?,?,00000002,00000000,?,00000002), ref: 00E317EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000022,?,?,00000002,00000000,?,00000002), ref: 00E318AC

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$___lc_codepage_func_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4026628035-0
Opcode ID: 62d3d7ffb6f99008adb4ba5cefdf3f62aaeeeffd2149004b910174bff721eac5
Instruction ID: 78c632467db12cc1d4ee54cf88474bb183dc0164103a9c3cf5185d9bea7e6b05
Opcode Fuzzy Hash: 62d3d7ffb6f99008adb4ba5cefdf3f62aaeeeffd2149004b910174bff721eac5
Instruction Fuzzy Hash: E8B1D170E002049FDB28DF68D888BAEBBF5FF89704F14866DE412A7741D770A945CB95

Function 00E92EE0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 166stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,0123456789abcdef,?,?), ref: 00E92F50
strchr.VCRUNTIME140 ref: 00E92F6A

Part of subcall function 00E92E30: strchr.VCRUNTIME140(0123456789,00ECF8DC,?,000006E0,00ECF8DC,?,?,00E92E2C,00000017,00000017), ref: 00E92E5C

Strings

0123456789ABCDEF, xrefs: 00E92F5D, 00E92F62
0123456789abcdef, xrefs: 00E92F42, 00E92F48

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: strchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 2830005266-885041942
Opcode ID: 48d874c7faca52c854c188603e672a26c11d33a83b66e077720037728d7755ef
Instruction ID: c14b055a9d7e65f2f7433159a70b614948e8b9ff0f0cf162d4c3317609ae63d6
Opcode Fuzzy Hash: 48d874c7faca52c854c188603e672a26c11d33a83b66e077720037728d7755ef
Instruction Fuzzy Hash: 4D51B171A083418BCB24DF28C58056FFBF1AF99348F446A1EF499A7201E721EA48C793

Function 00E426A0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,00E34792,?,00000000), ref: 00E4276D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000), ref: 00E427D5
memmove.VCRUNTIME140(00000000,?,00E34792,?,00000000), ref: 00E427DD

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E42815

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 94bb9ae92674918551655af86da5098029faa47e5a31f3466db0702d6b55e1fe
Instruction ID: 662e89318646127817a7d2fea8ee4a6ec291ec3e8b2bbdfd10609f345c4e5fcf
Opcode Fuzzy Hash: 94bb9ae92674918551655af86da5098029faa47e5a31f3466db0702d6b55e1fe
Instruction Fuzzy Hash: 8241D371A002199BCB08DF68E8859AEB3A5EF58314B64567EFA12E7355E730AD108790

Function 00E4A370 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,00000030), ref: 00E4A448
memmove.VCRUNTIME140(00000000,?,?,00000030), ref: 00E4A47A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000030), ref: 00E4A4D8

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E4A4DE

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmovememset
String ID:
API String ID: 2090792099-0
Opcode ID: dd2579ba17643f793b4a69a94852f71da0653e867f9a34148792cf53b72a54fa
Instruction ID: 56cd74610712ed40fb6ced82ee2defe46949ea562ba64f9fa9a7cae4d4138534
Opcode Fuzzy Hash: dd2579ba17643f793b4a69a94852f71da0653e867f9a34148792cf53b72a54fa
Instruction Fuzzy Hash: A341EA719401059FC714DF78E889AAEB7B5FF44320F289639E825B7245E770EE14CB91

Function 00E228E0 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000001,00000002), ref: 00E22993
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E229DE
memmove.VCRUNTIME140(00000000,?,00000002), ref: 00E229E6

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E22A0E

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: a515b279bab5261a53ddccce132c0b794915c089c5d1bb1301ed1c628bf71817
Instruction ID: 2d6147d9da2e4f3c149a0f8545561a4f6b5892027c5e07e76dd132000c13f2ea
Opcode Fuzzy Hash: a515b279bab5261a53ddccce132c0b794915c089c5d1bb1301ed1c628bf71817
Instruction Fuzzy Hash: F3414B72A002609FCB15DF78E880AAEB7A6EFD5300F2452BDE905EB345D631DE51C791

Function 00E41260 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,00E3AFF8,00000000,?,?,00E3AFF8,?,?), ref: 00E4128D
memmove.VCRUNTIME140(00000023,?,00E3AFF8,?,00E3AFF8,?,?), ref: 00E41332
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00E3AFF8,?,?), ref: 00E4137F
Concurrency::cancel_current_task.LIBCPMT ref: 00E4138A

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 3bb8eb8bc7e0b791fd61b018213970ba3914a5600e80765be29734348c4191db
Instruction ID: 6edd9cb47e80f7b7d119016b5a995913fd11a0c9b9a7e2346147d90fcbfef30e
Opcode Fuzzy Hash: 3bb8eb8bc7e0b791fd61b018213970ba3914a5600e80765be29734348c4191db
Instruction Fuzzy Hash: 84313771A002409BCB249F78E8809ADF7E9EF55350F2453BEF825EB791D7709D808791

Function 00E41A30 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00E34792,00E34792,?,?,00000000,?,00E34792,?), ref: 00E41A91

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: fed5af6bce38a1996c96ca846d6e2233bd39e7460abbbdbf9a7c8c5d9cd6bf1e
Instruction ID: 25d86af29efe0dd5e640c8821c658e8a88906c62602e990d0a2765980c199869
Opcode Fuzzy Hash: fed5af6bce38a1996c96ca846d6e2233bd39e7460abbbdbf9a7c8c5d9cd6bf1e
Instruction Fuzzy Hash: 7031F672B013048BDB309F68E84076AFBE8DF95325F2406BEE855D7291E7718A9487A1

Function 00E421C0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,00E316C1,?,00E316C0,?), ref: 00E4227A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00E316C0,?), ref: 00E422B7
memmove.VCRUNTIME140(00000000,?,00E316C1,?,00E316C0,?), ref: 00E422BF

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Concurrency::cancel_current_task.LIBCPMT ref: 00E422D9

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 6c7a25c44f4af587a2154a7620f7e33e08b1a5f2f26142f9c549bfdaf5a5d286
Instruction ID: 85e02e273be911c72ed3a2a10c25d9f0545f455dd4a101446c3462ddbc0a7ae4
Opcode Fuzzy Hash: 6c7a25c44f4af587a2154a7620f7e33e08b1a5f2f26142f9c549bfdaf5a5d286
Instruction Fuzzy Hash: 67314973E001108BCB189F7CA8805AEB7E9EB94350B6452BDFA15FB315EA70DE4087D5

Function 00E227E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000FF), ref: 00E22815
memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,000000FF), ref: 00E228AF

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: c6b1b097ccdcbb120878918d7bb2e89284e5723735a95cf76d9fbdb757e851d4
Instruction ID: 18584ace6bf4db6c6d5ee06a1dea3c586a75cb936ef4e7566776615e2dc51501
Opcode Fuzzy Hash: c6b1b097ccdcbb120878918d7bb2e89284e5723735a95cf76d9fbdb757e851d4
Instruction Fuzzy Hash: AC210E71D00320ABC71CAF68A84499E77E8EF95360B20126DF92AA7391E771DD0087D1

Function 00E31BB0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 00E31460: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 00E3156E

_CxxThrowException.VCRUNTIME140(?,00ED5DCC,?,?,00000000,?,create_directory,8E857614,00000000), ref: 00E31C2F
_CxxThrowException.VCRUNTIME140(?,00ED5DCC,?,?,?,current_path(),8E857614,?,?), ref: 00E31CB1

Strings

current_path(), xrefs: 00E31C83
create_directory, xrefs: 00E31BF6

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
String ID: create_directory$current_path()
API String ID: 2822070131-686078018
Opcode ID: dd392a8bd81d44a55ea68df0a49f48e18531a0d7b46f5b34a98e345360c03fe9
Instruction ID: b82b0bf9af2bd33e64dbb5e2328f21b7caeffb958748e9c15692d1a2444ff74b
Opcode Fuzzy Hash: dd392a8bd81d44a55ea68df0a49f48e18531a0d7b46f5b34a98e345360c03fe9
Instruction Fuzzy Hash: 692153B1900218ABCB10DF55DD45FDBBBBCFB19720F145265F925B3291EB70BA08CAA1

Function 00E43770 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 00E4380B
memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 00E4382F
memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 00E43840
Concurrency::cancel_current_task.LIBCPMT ref: 00E4385A

Part of subcall function 00E63F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00E2E1C8,?,?,?,?,76230E50), ref: 00E63F50

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: f853bbc619d63335e108189a089f4307531bfbc62d2d997d1cdcc55acd44d15c
Instruction ID: 2bae6914108030a8e78ce79e3d17056ad29304da71ee5150b97d38aaba034b0e
Opcode Fuzzy Hash: f853bbc619d63335e108189a089f4307531bfbc62d2d997d1cdcc55acd44d15c
Instruction Fuzzy Hash: 5931B2B1E002049BDB189F78E891AAFB7E5AF98340F24526AF815A7281D731DE108B91

Function 00E2E120 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E152
memmove.VCRUNTIME140(?,76230E50,?,?,?,?,76230E50), ref: 00E2E1DB
Concurrency::cancel_current_task.LIBCPMT ref: 00E2E1F8

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: d2fd596ef7b222303cb1710d7981642fb9a812cb1f1cd670c780353434ca562e
Instruction ID: 83ff4f7c5762ddbfc4a4447f8e4a7472b1fbba718630e0c292da95caf6c50e0c
Opcode Fuzzy Hash: d2fd596ef7b222303cb1710d7981642fb9a812cb1f1cd670c780353434ca562e
Instruction Fuzzy Hash: 6A2130729022349BD7149F68F8816AFBBD8EF55360F101276E815EB391D6308D6187D2

Function 00E4E690 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000010,?,00000000,?,?,?,80070057,?), ref: 00E4E6EC
memset.VCRUNTIME140(00000010,00000000,00000000,?,?,?,80070057,?), ref: 00E4E6F9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,80070057,?), ref: 00E4E701
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,80070057,?), ref: 00E4E70D

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: b0a4ba775a4e63c9aeffc312e8cbe313ef8a5e959d6be8ccd64d7ef305081c4e
Instruction ID: fef47bff234939af27fdf98a84d9f143cb0eacde1f7655323928769f9cff9a2d
Opcode Fuzzy Hash: b0a4ba775a4e63c9aeffc312e8cbe313ef8a5e959d6be8ccd64d7ef305081c4e
Instruction Fuzzy Hash: 33213D75A01605EFD714DF68D889AADB7F4FF49350B1041AAE905E7361EB30ED01CB91

Function 00E75CA0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 53COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00E76F50,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00E75D19

Strings

CURL_SSL_BACKEND, xrefs: 00E75CCB
Po, xrefs: 00E75CB0

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID: CURL_SSL_BACKEND$Po
API String ID: 1294909896-1262323336
Opcode ID: e16226b38afc028d66cbac7195309724232f654dab2d91fe8aae4be5936c4d67
Instruction ID: e5b51f7f129c07741da8f620f7842e8d42af2d092ea14c39a628302cde67ad4b
Opcode Fuzzy Hash: e16226b38afc028d66cbac7195309724232f654dab2d91fe8aae4be5936c4d67
Instruction Fuzzy Hash: EA01C4726032129FD7249B66BD4CB6737F4EB80709F06506EED09B3252E772C80ACA91

Function 00E6ED50 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(754B6BF0,754B6BF0,?,?,754B6BF0), ref: 00E6ED63
__alldvrm.LIBCMT ref: 00E6ED7D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 00E6EDA4
GetTickCount.KERNEL32 ref: 00E6EDC1

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1296068966-0
Opcode ID: aa2a3b3255819f07403008baa1f6960b6d33c0f3842cd8f52397d0084eee792f
Instruction ID: 6bcf709e76c731b97c2fcf71badc9240ada65ebc576e2124fb8ee2294e3f3d57
Opcode Fuzzy Hash: aa2a3b3255819f07403008baa1f6960b6d33c0f3842cd8f52397d0084eee792f
Instruction Fuzzy Hash: B511E571508309AFC705EF78FD45A2A7FE9EB88300F54446EF508D6261E632A91ADB15

Function 00E63AEF Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,8E857614,00000000,00000000,00000000,00000000,00000000,?,?,?,00E4195C,00000000,?,00000000,00000000), ref: 00E63B0C
GetLastError.KERNEL32(?,00E4195C,00000000,?,00000000,00000000,00000000,8E857614,?,?), ref: 00E63B18
WideCharToMultiByte.KERNEL32(?,00000000,8E857614,00000000,00000000,00000000,00000000,00000000,?,00E4195C,00000000,?,00000000,00000000,00000000,8E857614), ref: 00E63B3E
GetLastError.KERNEL32(?,00E4195C,00000000,?,00000000,00000000,00000000,8E857614,?,?), ref: 00E63B4A

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: 79d7dda4fcb33329fdbf43d78782dc20894d18d63fe36e79b6fed69937dd69ad
Instruction ID: 799fdd420b6bca592f3d8748cb2f07a51566148d122bc8fc69f285af0312e5dc
Opcode Fuzzy Hash: 79d7dda4fcb33329fdbf43d78782dc20894d18d63fe36e79b6fed69937dd69ad
Instruction Fuzzy Hash: A8011232640156BF8F221F52EC08DDB3E6AEBD97E0B145124FE05A6121C632CD32E7A0

Function 00E403E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00E403F1
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 00E40415

Part of subcall function 00E30900: memset.VCRUNTIME140(?,00000030,?), ref: 00E30924

Strings

null, xrefs: 00E405D3

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: _dclass_dsignmemset
String ID: null
API String ID: 2282577375-634125391
Opcode ID: e35b1269e6ad51c112e16576f05f3eb373fb01742b7a61f4bfac76e671e0f9ea
Instruction ID: 0f4ba338eb95a8aae2d1aeb8d9c7ecd11386ff3a3e4cef0bb3a35c357d323241
Opcode Fuzzy Hash: e35b1269e6ad51c112e16576f05f3eb373fb01742b7a61f4bfac76e671e0f9ea
Instruction Fuzzy Hash: 6C61AD71C0061D8BDB01DFA8C9416EDFBB0FF59314F149369E955BB252EB30AA98CB90

Function 00EBC592 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 00EBC5E5: memset.VCRUNTIME140(?,00000000,00000018,?,?,00EBC59A,?,00E2151A), ref: 00EBC5F2

Part of subcall function 00E30F40: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00ED5E4C), ref: 00E30F45
Part of subcall function 00E30F40: GetLastError.KERNEL32(?,00000000,00000000,?,00ED5E4C), ref: 00E30F4F

IsDebuggerPresent.KERNEL32(?,?,?,00E2151A), ref: 00EBC5C5
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,00E2151A), ref: 00EBC5D4

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 00EBC5CF

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 4206453544-631824599
Opcode ID: fccb6e8aacf909edde08d3a93aa0e53cec578213c5a1b2bd1bb428a92936eb8b
Instruction ID: a48fdf7b1a2ca5358e4d027ee24f53eeca09184f0e6b7c387afbbd39436403f9
Opcode Fuzzy Hash: fccb6e8aacf909edde08d3a93aa0e53cec578213c5a1b2bd1bb428a92936eb8b
Instruction Fuzzy Hash: 21E092702053118FD7309F25E509F437BE4AF04304F10986EE886F7652EBB5E449CB91

Function 00E76B30 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00000088,00E7692E,00000000,00000D30), ref: 00E76B44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E76B68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E76B8D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00E76BBB

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 835b50fb5155357e5bf6b8b7152e6f7e9ae1a5e38ad09eaf2aeaa46014d3cfb6
Instruction ID: d83eee4b326b26da68af029c4865c764c97d6edbde0d99aa500fb9f2d030f4c6
Opcode Fuzzy Hash: 835b50fb5155357e5bf6b8b7152e6f7e9ae1a5e38ad09eaf2aeaa46014d3cfb6
Instruction Fuzzy Hash: 2B115EB1501A41AFEB298F34ED48BC1FBA4FF05308F040225D95D66261DB367468CBD5

Function 00EB2300 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB231A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB233F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00EA7805,00000368,00E72EB8,00E76AB4,00E72EB8,00E72EB8,00000000,?,00000000,00E72EB8,00000000,00000000,00000000), ref: 00EB2361
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,00E6A1C4,?,?,00E70088,?), ref: 00EB2371

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 6301876eed6ff2bedb2fc478111f05c9af27bf3b9c3ad5dace4dffb2a6edfad4
Instruction ID: f5427e1b10ba784769ff2ea144e82fff92f58e80ba00e184fbf716849c6b69af
Opcode Fuzzy Hash: 6301876eed6ff2bedb2fc478111f05c9af27bf3b9c3ad5dace4dffb2a6edfad4
Instruction Fuzzy Hash: AF01C2B0101B019FD7609F25ED48B43BBF0FF04308F009819E89A96AA1C776F8589F50

Function 00E712B0 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 00E7F170: free.API-MS-WIN-CRT-HEAP-L1-1-0(000008A0,00000000,000008A0,00E74F3E,?,00000000,000008A0,00E7ACB9,000008A0), ref: 00E7F185
Part of subcall function 00E7F170: free.API-MS-WIN-CRT-HEAP-L1-1-0(000008A0), ref: 00E7F192

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00E712DE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00E712EE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 00E712FE
memset.VCRUNTIME140(?,00000000,00000170,?,?,?,?,?,?,?,?), ref: 00E7130C

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: d4374a5b71ed939fda7a5a1d59be682c6c7de5e9c829360cd697d565e6c9aaa2
Instruction ID: 282154ee115b6b4d933063727198c3af5f715286711c24e9973a4439133b745b
Opcode Fuzzy Hash: d4374a5b71ed939fda7a5a1d59be682c6c7de5e9c829360cd697d565e6c9aaa2
Instruction Fuzzy Hash: 97013171402B10AFD7625F61ED09B87BBE0BF05708F44581CF88E25AA2C7B6B498DB91

Function 00E80860 Relevance: 5.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000006DC,00000000,?,00000088,00E7673E,000006DC), ref: 00E8087D
free.API-MS-WIN-CRT-HEAP-L1-1-0(000006DC,?,00000088,00E7673E,000006DC), ref: 00E80884
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00000088,00E7673E,000006DC), ref: 00E80895
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000088,?,00000088,00E7673E,000006DC), ref: 00E8089C

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 79021b0c77c6f7c66c1f072044a1192495b6eb78ae7b96eac165540f603c9da3
Instruction ID: 592b0beac45edf434ee920ef836578b07feb6f45c6e8bb0110d80e9e18b6d017
Opcode Fuzzy Hash: 79021b0c77c6f7c66c1f072044a1192495b6eb78ae7b96eac165540f603c9da3
Instruction Fuzzy Hash: DCF0A736001200BFCB015F05FC44A86B778FF84325B148026FD1D6B252C732A96C8BD0

Function 00EB06B0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00E7F211,000008EC,000006DC,00E76752,00000000,?), ref: 00EB06B7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EB06E2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EB06F5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00EB0705

Memory Dump Source

Source File: 00000000.00000002.2217120169.0000000000E21000.00000020.00000001.01000000.00000006.sdmp, Offset: 00E20000, based on PE: true

Associated: 00000000.00000002.2217101327.0000000000E20000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217174343.0000000000EC1000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217194865.0000000000ED9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217207920.0000000000EDA000.00000008.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217243208.0000000000F26000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F28000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000000.00000002.2217259570.0000000000F42000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_e20000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 031d06e73e875e308729652fae6b7748a39aebf538f64c2962f046ce9fc325ca
Instruction ID: 8c8153861e46414b67b9951650c7fd93c7ce21aca28dbca2b3b34920153047ab
Opcode Fuzzy Hash: 031d06e73e875e308729652fae6b7748a39aebf538f64c2962f046ce9fc325ca
Instruction Fuzzy Hash: 33F0B7B0001701DFE7209F15FC08B86BBF0FF04309F108819E99A96661D776E8A8DF95

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9ffa6a94f5231de6490ea3ae72ad68e315c65_678091f3_28510c0d-5783-4216-b77c-15c8c303aad7\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WER9362.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WER946D.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WER94CC.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Function 00E4EDB0 Relevance: 62.1, APIs: 27, Strings: 8, Instructions: 881
memorylibrarythreadCOMMON

Function 00E51670 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 264
libraryloaderinjectionCOMMON

Function 00E6C150 Relevance: 18.5, APIs: 12, Instructions: 493
COMMON

Function 00E8D550 Relevance: 12.3, APIs: 8, Instructions: 265
networksleepCOMMON

Function 00E3A610 Relevance: 9.2, APIs: 3, Strings: 2, Instructions: 428
stringCOMMON

Function 00E7F5C0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 188
libraryloadernetworkCOMMON

Function 00E51000 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 304
registryCOMMON

Function 00E7F410 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 148
librarystringloaderCOMMON