Edit tour

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Overview

General Information

Sample name:	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
Analysis ID:	1543365
MD5:	992a36edccd6fb4db6aad9c43329cb04
SHA1:	5276588b19a213b10a8c25c6c08e11d4621124d5
SHA256:	b157d6d7519daf5b2ca2b514d6291d3df5c1971884ff429e48045bd7161ca369
Tags:	exe
Infos:

Detection

Score:	76
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Contains functionality to detect virtual machines (IN, VMware)

Contains functionality to hide a thread from the debugger

Contains functionality to inject code into remote processes

Contains functionality to inject threads in other processes

Hides threads from debuggers

Tries to detect sandboxes and other dynamic analysis tools (window names)

AV process strings found (often used to terminate AV products)

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to call native functions

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to create guard pages, often used to hinder reverse engineering and debugging

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Contains functionality to read the PEB

Contains functionality which may be used to detect a debugger (GetProcessHeap)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Found decision node followed by non-executed suspicious APIs

Found large amount of non-executed APIs

IP address seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

One or more processes crash

Sample execution stops while process was sleeping (likely an evasion)

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe (PID: 636 cmdline: "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5: 992A36EDCCD6FB4DB6AAD9C43329CB04)

conhost.exe (PID: 2616 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 4260 cmdline: C:\Windows\system32\cmd.exe /c cls MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 4920 cmdline: C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 | find /i /v "md5" | find /i /v "certutil" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

certutil.exe (PID: 4936 cmdline: certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 MD5: 0DDA4F16AE041578B4E250AE12E06EB1)

find.exe (PID: 5040 cmdline: find /i /v "md5" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

find.exe (PID: 7124 cmdline: find /i /v "certutil" MD5: 15B158BC998EEF74CFDD27C44978AEA0)

cmd.exe (PID: 6724 cmdline: C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

cmd.exe (PID: 5792 cmdline: cmd /C "color b && title Error && echo SSL connect error && timeout /t 5" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3660 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

timeout.exe (PID: 3160 cmdline: timeout /t 5 MD5: 976566BEEFCCA4A159ECBDB2D4B1A3E3)

WerFault.exe (PID: 4648 cmdline: C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1128 MD5: C31336C1EFC2CCB44B4326EA793040F2)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_0010F990 BCryptGenRandom,

0_2_0010F990

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: -----BEGIN PUBLIC KEY-----		0_2_000F4240
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Binary or memory string: -----BEGIN PUBLIC KEY-----

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000E3BEB GetFileAttributesExW,GetLastError,FindFirstFileW,GetLastError,FindClose,___std_fs_open_handle@16,GetFileInformationByHandleEx,GetLastError,GetFileInformationByHandleEx,GetFileInformationByHandleEx,___std_fs_close_handle@4,

0_2_000E3BEB

Source: Joe Sandbox View

IP Address: 104.26.0.5 104.26.0.5

Source: Joe Sandbox View

JA3 fingerprint: bd0bf25947d4a37404f0424edf4db9ad

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: keyauth.win

Source: Amcache.hve.14.dr	String found in binary or memory: http://upx.sf.net
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/alt-svc.html#
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/hsts.html
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/hsts.html#
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	String found in binary or memory: https://curl.se/docs/http-cookies.html#
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/GI
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://keyauth.win/api/1.2/y=

Source: unknown	Network traffic detected: HTTP traffic on port 49706 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49706

Source: unknown

HTTPS traffic detected: 104.26.0.5:443 -> 192.168.2.8:49706 version: TLS 1.2

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000CEDB0 GetModuleHandleW,GetProcAddress,NtSetInformationThread,VirtualAlloc,VirtualAlloc,VirtualFree,GetModuleFileNameW,GetShortPathNameW,GetEnvironmentVariableW,ShellExecuteW,NtTerminateProcess,GetCurrentProcess,NtTerminateProcess,GetWriteWatch,VirtualFree,VirtualFree,VirtualFree,GetModuleHandleW,KiUserExceptionDispatcher,KiUserExceptionDispatcher,LoadLibraryA,GetProcAddress,OpenProcess,CloseHandle,CreateFileA,CloseHandle,GetProcessHeap,HeapWalk,memset,GetCurrentThread,GetThreadContext,

0_2_000CEDB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000EC150	0_2_000EC150
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000B21F0	0_2_000B21F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_0010D550	0_2_0010D550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CEDB0	0_2_000CEDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000BA610	0_2_000BA610
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D1670	0_2_000D1670
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000A4800	0_2_000A4800
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CB000	0_2_000CB000
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000BB822	0_2_000BB822
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CD020	0_2_000CD020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C6020	0_2_000C6020
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000A8060	0_2_000A8060
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000B58B0	0_2_000B58B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000B68D0	0_2_000B68D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000A3920	0_2_000A3920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D2950	0_2_000D2950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CB960	0_2_000CB960
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C81D6	0_2_000C81D6
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00112A40	0_2_00112A40
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C6AD0	0_2_000C6AD0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_0010CB30	0_2_0010CB30
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CB320	0_2_000CB320
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000A4350	0_2_000A4350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CBC90	0_2_000CBC90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C44A0	0_2_000C44A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CACB0	0_2_000CACB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C0D00	0_2_000C0D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C9D80	0_2_000C9D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CB640	0_2_000CB640
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000B1ED0	0_2_000B1ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_00102710	0_2_00102710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000E4763	0_2_000E4763
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000B8FA0	0_2_000B8FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000C7FA0	0_2_000C7FA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CA7B0	0_2_000CA7B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CD7C0	0_2_000CD7C0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1128

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: mal76.evad.winEXE@20/6@1/2

Source: C:\Windows\SysWOW64\WerFault.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\WERReportingForProcess636
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2616:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3660:120:WilError_03

Source: C:\Windows\SysWOW64\WerFault.exe

File created: C:\ProgramData\Microsoft\Windows\WER\Temp\c5a7f315-5954-448a-a6b8-ad8ec588d302

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

ReversingLabs: Detection: 42%

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

String found in binary or memory: iphlpapi.dllif_nametoindexws2_32FreeAddrInfoExWGetAddrInfoExCancelGetAddrInfoExWkernel32LoadLibraryExA\/AddDllDirectoryh1h2h3%10s %512s %u %10s %512s %u "%64[^"]" %u %urt%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d

Source: unknown	Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "md5"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "certutil"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1128
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: msvcp140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l~?? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Section loaded: ????l??? .dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptui.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntdsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: certca.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: dsrole.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: logoncli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\certutil.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: ulib.dll	Jump to behavior
Source: C:\Windows\SysWOW64\find.exe	Section loaded: fsutilext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\timeout.exe	Section loaded: version.dll	Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static file information: File size 1236992 > 1048576

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000D0910 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualFree,

0_2_000D0910

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D60C8 push esp; ret		0_2_000D60C9
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000B7CDA push ebx; retn 0002h		0_2_000B7CE5

Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: FAILCRITICALERRORS \| NOGPFAULTERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\WerFault.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Contains functionality to detect virtual machines (IN, VMware)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000D14A0 in eax, dx

0_2_000D14A0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Memory allocated: 3030000 memory commit \| memory reserve \| memory write watch			Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Memory allocated: 4130000 memory commit \| memory reserve \| memory write watch			Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Decision node followed by non-executed suspicious API: DecisionNode, Non Executed (send or recv or WinExec)

graph_0-20736

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

API coverage: 8.7 %

Source: C:\Windows\SysWOW64\timeout.exe TID: 5552

Thread sleep count: 44 > 30

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

0_2_000E3BEB

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000D0E60 GetSystemInfo,VirtualAlloc,VirtualProtect,

0_2_000D0E60

Source: Amcache.hve.14.dr	Binary or memory string: VMware
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual USB Mouse
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin
Source: Amcache.hve.14.dr	Binary or memory string: VMware-42 27 c5 9a 47 85 d6 84-53 49 ec ec 87 a6 6d 67
Source: Amcache.hve.14.dr	Binary or memory string: VMware, Inc.
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1hbin@
Source: Amcache.hve.14.dr	Binary or memory string: c:\windows\system32\driverstore\filerepository\vmci.inf_amd64_68ed49469341f563
Source: Amcache.hve.14.dr	Binary or memory string: Ascsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: .Z$c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: :scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: pci\ven_15ad&dev_0740&subsys_074015ad,pci\ven_15ad&dev_0740,root\vmwvmcihostdev
Source: Amcache.hve.14.dr	Binary or memory string: c:/windows/system32/drivers/vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: scsi/cdrom&ven_necvmwar&prod_vmware_sata_cd00/4&224f42ef&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: vmci.sys
Source: Amcache.hve.14.dr	Binary or memory string: vmci.syshbin`
Source: Amcache.hve.14.dr	Binary or memory string: \driver\vmci,\driver\pci
Source: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll-
Source: Amcache.hve.14.dr	Binary or memory string: scsi/disk&ven_vmware&prod_virtual_disk/4&1656f219&0&000000
Source: Amcache.hve.14.dr	Binary or memory string: VMware20,1
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Generation Counter
Source: Amcache.hve.14.dr	Binary or memory string: NECVMWar VMware SATA CD00
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual disk SCSI Disk Device
Source: Amcache.hve.14.dr	Binary or memory string: scsi\cdromnecvmwarvmware_sata_cd001.00,scsi\cdromnecvmwarvmware_sata_cd00,scsi\cdromnecvmwar,scsi\necvmwarvmware_sata_cd001,necvmwarvmware_sata_cd001,gencdrom
Source: Amcache.hve.14.dr	Binary or memory string: scsi\diskvmware__virtual_disk____2.0_,scsi\diskvmware__virtual_disk____,scsi\diskvmware__,scsi\vmware__virtual_disk____2,vmware__virtual_disk____2,gendisk
Source: Amcache.hve.14.dr	Binary or memory string: Microsoft Hyper-V Virtualization Infrastructure Driver
Source: Amcache.hve.14.dr	Binary or memory string: VMware PCI VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware VMCI Bus Device
Source: Amcache.hve.14.dr	Binary or memory string: VMware Virtual RAM
Source: Amcache.hve.14.dr	Binary or memory string: BiosVendor:VMware, Inc.,BiosVersion:VMW201.00V.20829224.B64.2211211842,BiosReleaseDate:11/21/2022,BiosMajorRelease:0xff,BiosMinorRelease:0xff,SystemManufacturer:VMware, Inc.,SystemProduct:VMware20,1,SystemFamily:,SystemSKUNumber:,BaseboardManufacturer:,BaseboardProduct:,BaseboardVersion:,EnclosureType:0x1
Source: Amcache.hve.14.dr	Binary or memory string: vmci.inf_amd64_68ed49469341f563

Anti Debugging

Contains functionality to hide a thread from the debugger

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000CEDB0 NtSetInformationThread 000000FE,00000011,00000000,00000000

0_2_000CEDB0

Hides threads from debuggers

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Thread information set: HideFromDebugger

Jump to behavior

Tries to detect sandboxes and other dynamic analysis tools (window names)

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Open window title or class name: ollydbg
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Open window title or class name: windbgframeclass

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000E4AD5 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_000E4AD5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000D0E60 VirtualProtect 00000000,?,00000140,00000000

0_2_000D0E60

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000D0910 LoadLibraryA,GetProcAddress,VirtualAlloc,VirtualFree,

0_2_000D0910

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CEDB0 mov eax, dword ptr fs:[00000030h]	0_2_000CEDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CEDB0 mov eax, dword ptr fs:[00000030h]	0_2_000CEDB0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D7040 mov eax, dword ptr fs:[00000030h]	0_2_000D7040
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D78C0 mov eax, dword ptr fs:[00000030h]	0_2_000D78C0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D9920 mov eax, dword ptr fs:[00000030h]	0_2_000D9920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D9920 mov eax, dword ptr fs:[00000030h]	0_2_000D9920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D9920 mov eax, dword ptr fs:[00000030h]	0_2_000D9920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D9920 mov eax, dword ptr fs:[00000030h]	0_2_000D9920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3930 mov eax, dword ptr fs:[00000030h]	0_2_000D3930
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D2950 mov eax, dword ptr fs:[00000030h]	0_2_000D2950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D2950 mov eax, dword ptr fs:[00000030h]	0_2_000D2950
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D1A10 mov eax, dword ptr fs:[00000030h]	0_2_000D1A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D1A10 mov eax, dword ptr fs:[00000030h]	0_2_000D1A10
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3360 mov eax, dword ptr fs:[00000030h]	0_2_000D3360
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D6390 mov eax, dword ptr fs:[00000030h]	0_2_000D6390
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D7480 mov eax, dword ptr fs:[00000030h]	0_2_000D7480
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D7D00 mov eax, dword ptr fs:[00000030h]	0_2_000D7D00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3550 mov eax, dword ptr fs:[00000030h]	0_2_000D3550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3550 mov eax, dword ptr fs:[00000030h]	0_2_000D3550
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D8D80 mov eax, dword ptr fs:[00000030h]	0_2_000D8D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D8D80 mov eax, dword ptr fs:[00000030h]	0_2_000D8D80
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000CEDA0 mov eax, dword ptr fs:[00000030h]	0_2_000CEDA0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D05B0 mov ecx, dword ptr fs:[00000030h]	0_2_000D05B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D65C7 mov eax, dword ptr fs:[00000030h]	0_2_000D65C7
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D5E00 mov eax, dword ptr fs:[00000030h]	0_2_000D5E00
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D8600 mov eax, dword ptr fs:[00000030h]	0_2_000D8600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DAE20 mov eax, dword ptr fs:[00000030h]	0_2_000DAE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DAE20 mov eax, dword ptr fs:[00000030h]	0_2_000DAE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DAE20 mov eax, dword ptr fs:[00000030h]	0_2_000DAE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DAE20 mov eax, dword ptr fs:[00000030h]	0_2_000DAE20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3710 mov eax, dword ptr fs:[00000030h]	0_2_000D3710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D3710 mov eax, dword ptr fs:[00000030h]	0_2_000D3710
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D5724 mov eax, dword ptr fs:[00000030h]	0_2_000D5724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D5724 mov eax, dword ptr fs:[00000030h]	0_2_000D5724
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DA770 mov eax, dword ptr fs:[00000030h]	0_2_000DA770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DA770 mov eax, dword ptr fs:[00000030h]	0_2_000DA770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DA770 mov eax, dword ptr fs:[00000030h]	0_2_000DA770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000DA770 mov eax, dword ptr fs:[00000030h]	0_2_000DA770
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D67C1 mov eax, dword ptr fs:[00000030h]	0_2_000D67C1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000D67C1 mov eax, dword ptr fs:[00000030h]	0_2_000D67C1

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

0_2_000CEDB0

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000E4AD5 IsProcessorFeaturePresent,memset,memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_000E4AD5
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Code function: 0_2_000E430F SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_000E430F

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Memory protected: page execute and read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Contains functionality to inject code into remote processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000D3360 VirtualAllocEx,OpenThread,SuspendThread,GetThreadContext,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,WriteProcessMemory,SetThreadContext,ResumeThread,

0_2_000D3360

Contains functionality to inject threads in other processes

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000AE840 VirtualAllocEx,VirtualAllocEx,VirtualProtectEx,LoadLibraryA,GetProcAddress,WriteProcessMemory,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,VirtualAllocEx,WriteProcessMemory,CreateRemoteThread,CloseHandle,GetExitCodeProcess,Sleep,GetExitCodeProcess,ReadProcessMemory,Sleep,malloc,memset,WriteProcessMemory,WriteProcessMemory,VirtualProtectEx,VirtualProtectEx,WriteProcessMemory,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,VirtualFreeEx,

0_2_000AE840

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c cls	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"	Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\certutil.exe certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "md5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\find.exe find /i /v "certutil"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\timeout.exe timeout /t 5	Jump to behavior

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: GetLocaleInfoEx,FormatMessageA,

0_2_000E3EAF

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000E4CE5 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

0_2_000E4CE5

Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Code function: 0_2_000A8060 _invalid_parameter_noinfo_noreturn,GetUserNameA,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,

0_2_000A8060

Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23080.2006-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\program files\windows defender\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: c:\programdata\microsoft\windows defender\platform\4.18.23090.2008-0\msmpeng.exe
Source: Amcache.hve.14.dr	Binary or memory string: MsMpEng.exe

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	211 Process Injection	32 Virtualization/Sandbox Evasion	OS Credential Dumping	1 System Time Discovery	Remote Services	11 Archive Collected Data	22 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Native API	Boot or Logon Initialization Scripts	1 DLL Side-Loading	11 Disable or Modify Tools	LSASS Memory	331 Security Software Discovery	Remote Desktop Protocol	Data from Removable Media	1 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	Logon Script (Windows)	211 Process Injection	Security Account Manager	32 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Obfuscated Files or Information	NTDS	1 Account Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 DLL Side-Loading	LSA Secrets	1 System Owner/User Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	Steganography	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	Compile After Delivery	DCSync	13 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	42%	ReversingLabs	Win32.Trojan.Generic

Source	Detection	Scanner	Label	Link
http://upx.sf.net	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
keyauth.win	104.26.0.5	true	false		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://curl.se/docs/hsts.html	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/alt-svc.html#	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
http://upx.sf.net	Amcache.hve.14.dr	false	URL Reputation: safe	unknown
https://curl.se/docs/http-cookies.html#	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/alt-svc.html	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/http-cookies.html	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://curl.se/docs/hsts.html#	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe	false		unknown
https://keyauth.win/api/1.2/y=	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keyauth.win/api/1.2/GI	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe, 00000000.00000002.1866741998.000000000129E000.00000004.00000020.00020000.00000000.sdmp	false		unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
104.26.0.5	keyauth.win	United States		13335	CLOUDFLARENETUS	false

Private

IP
127.0.0.1

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1543365
Start date and time:	2024-10-27 18:48:59 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 6m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Run name:	Run with higher sleep bypass
Number of analysed new started processes analysed:	20
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
Detection:	MAL
Classification:	mal76.evad.winEXE@20/6@1/2
EGA Information:	Successful, ratio: 100%
HCA Information:	Successful, ratio: 63% Number of executed functions: 27 Number of non-executed functions: 142
Cookbook Comments:	Found application associated with file extension: .exe Sleeps bigger than 100000000ms are automatically reduced to 1000ms

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WerFault.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Excluded IPs from analysis (whitelisted): 20.190.159.68, 20.190.159.2, 20.190.159.23, 20.190.159.64, 40.126.31.73, 20.190.159.4, 20.190.159.71, 20.190.159.75, 52.182.143.212
Excluded domains from analysis (whitelisted): prdv4a.aadg.msidentity.com, slscr.update.microsoft.com, otelrules.azureedge.net, www.tm.v4.a.prd.aadg.akadns.net, ctldl.windowsupdate.com, login.msa.msidentity.com, fe3cr.delivery.mp.microsoft.com, ocsp.digicert.com, onedsblobprdcus15.centralus.cloudapp.azure.com, login.live.com, blobcollector.events.data.trafficmanager.net, umwatson.events.data.microsoft.com, www.tm.lg.prod.aadmsa.trafficmanager.net
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
VT rate limit hit for: SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
104.26.0.5	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse
	4aOgNkVU5z.exe	Get hash	malicious	Unknown	Browse
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse
	dGuXzI4UlT.exe	Get hash	malicious	Unknown	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
keyauth.win	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Variant.Tedy.627915.599.8749.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	lUAc7lqa56.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	xVmySfWfcW.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	LDlanZur0i.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	Fa1QSXjTZD.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	xxImTScxAq.exe	Get hash	malicious	Unknown	Browse	104.26.0.5

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CLOUDFLARENETUS	SecuriteInfo.com.Win32.Agent-BDOJ.1516.18040.exe	Get hash	malicious	Blank Grabber	Browse	104.20.23.46
	SecuriteInfo.com.Win64.MalwareX-gen.31244.2279.exe	Get hash	malicious	Unknown	Browse	104.26.1.5
	SecuriteInfo.com.Trojan.Siggen29.54948.7115.19193.exe	Get hash	malicious	Xmrig	Browse	104.20.4.235
	SecuriteInfo.com.Win64.CrypterX-gen.31361.18171.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Trojan.TR.Redcap.cdtxw.10783.3124.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	f6ffg1sZS2.exe	Get hash	malicious	Babuk, Djvu	Browse	188.114.96.3
	wo4POc0NG1.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	172.67.170.64
	K3SRs78CAv.exe	Get hash	malicious	LummaC	Browse	188.114.97.3
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc	Browse	104.21.95.91

JA3 Fingerprints

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
bd0bf25947d4a37404f0424edf4db9ad	sadfwqefrqw3f.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win64.Evo-gen.20107.17462.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.FileRepMalware.12025.7543.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Heuristic.HEUR.AGEN.1319832.32667.20795.exe	Get hash	malicious	Unknown	Browse	104.26.0.5
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	104.26.0.5
	ActSet.ps1	Get hash	malicious	Fredy Stealer	Browse	104.26.0.5
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	104.26.0.5
	SecuriteInfo.com.Win32.CrypterX-gen.13288.14467.dll	Get hash	malicious	Unknown	Browse	104.26.0.5
	IDMan.exe	Get hash	malicious	Fredy Stealer	Browse	104.26.0.5

Dropped Files

⊘No context

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9ffa6a94f5231de6490ea3ae72ad68e315c65_678091f3_076ba889-fe90-4a2b-a0ee-af4f1e04b704\Report.wer

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	0.9215035327555512
Encrypted:	false
SSDEEP:	96:IzFPYosKhGQ7LVSFQXIDcQ8c6DFcE6cw3++HbHg/opAnQzOqg7TKENdUzX0iXwjI:ilYo70ytgTjb5zuiFnZ24IO8rM
MD5:	E810F17595B7FA8DBC09A3CF3C4747BB
SHA1:	BB3654576D44CDB1A0400CB23D4341BD5841302F
SHA-256:	BD41BE434ABD64EC1E54CE1326789F104C2E6197D6A979A0E2E896CDE3F95F19
SHA-512:	28B08A6801B463B61DCF414189822E2377F75426188E36390F0CB1452E1B0B9BE8926AE52A46CA7EBE4912A0E8E649A70799DAC06687BD7280371FD6C4AC6CDD
Malicious:	false
Preview:	..V.e.r.s.i.o.n.=.1.....E.v.e.n.t.T.y.p.e.=.B.E.X.....E.v.e.n.t.T.i.m.e.=.1.3.3.7.4.5.2.5.0.0.4.3.9.7.4.9.1.3.....R.e.p.o.r.t.T.y.p.e.=.2.....C.o.n.s.e.n.t.=.1.....U.p.l.o.a.d.T.i.m.e.=.1.3.3.7.4.5.2.5.0.0.4.8.9.7.5.0.6.8.....R.e.p.o.r.t.S.t.a.t.u.s.=.5.2.4.3.8.4.....R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.0.7.6.b.a.8.8.9.-.f.e.9.0.-.4.a.2.b.-.a.0.e.e.-.a.f.4.f.1.e.0.4.b.7.0.4.....I.n.t.e.g.r.a.t.o.r.R.e.p.o.r.t.I.d.e.n.t.i.f.i.e.r.=.9.c.1.f.c.2.a.2.-.9.5.7.6.-.4.f.0.1.-.8.a.c.3.-.4.c.b.8.4.7.2.f.d.8.7.6.....W.o.w.6.4.H.o.s.t.=.3.4.4.0.4.....W.o.w.6.4.G.u.e.s.t.=.3.3.2.....N.s.A.p.p.N.a.m.e.=.S.e.c.u.r.i.t.e.I.n.f.o...c.o.m...T.r.o.j.a.n...G.e.n.e.r.i.c.K.D...7.4.4.4.4.4.2.8...1.7.3.3.6...1.0.1.9...e.x.e.....A.p.p.S.e.s.s.i.o.n.G.u.i.d.=.0.0.0.0.0.2.7.c.-.0.0.0.1.-.0.0.1.4.-.2.5.1.6.-.8.d.a.3.9.8.2.8.d.b.0.1.....T.a.r.g.e.t.A.p.p.I.d.=.W.:.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.1.8.9.0.a.f.d.8.0.7.0.9.!.0.0.0.0.d.a.3.9.a.3.e.e.5.e.6.b.4.b.0.d.3.2.5.5.b.f.e.f.9.5.6.0.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA447.tmp.dmp

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	Mini DuMP crash report, 14 streams, Sun Oct 27 17:50:04 2024, 0x1205a4 type
Category:	dropped
Size (bytes):	99536
Entropy (8bit):	1.768554767921618
Encrypted:	false
SSDEEP:	384:dl1TQdBpssoTcG+TBXoj29gaiPh2qCd+FGof8srWA2:5GBpssoIG+ej2HQhnhFGoksrH2
MD5:	6A849AE1DB7F2A9646F5B7861969E867
SHA1:	0391573EAB3AED725264B06B8595441B0A02ECCD
SHA-256:	E1B0AF57AD6164FB63B3DE190A2737CC6E175D364DAD429307A03485CDBCF428
SHA-512:	F610EDA8096600F3EA87083EFAEC032B3A9E6679DFE33D122D255B5EB7AAD73CB3EE48B413B716DB7673DFB28EC005EF972F8E0A9D0424EDE1B717E3EC5DE5C5
Malicious:	false
Preview:	MDMP..a..... .......L}.g.........................................>..........T.......8...........T............+...Y......................................................................................................eJ......\|.......GenuineIntel............T.......\|...F}.g.............................0..............,...E.a.s.t.e.r.n. .S.t.a.n.d.a.r.d. .T.i.m.e...........................................E.a.s.t.e.r.n. .S.u.m.m.e.r. .T.i.m.e...............................................1.9.0.4.1...1...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6...................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA503.tmp.WERInternalMetadata.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, Unicode text, UTF-16, little-endian text, with CRLF line terminators
Category:	dropped
Size (bytes):	8544
Entropy (8bit):	3.693408994187796
Encrypted:	false
SSDEEP:	192:R6l7wVeJFJ6zX6YSXSUApgmffNtTpDt89bV8sfnAnm:R6lXJL6zX6YySUApgmfvcVPfd
MD5:	92CD3CC09CFFB68EEC98514C49E7C283
SHA1:	D43B5AA2BBCE0859452EF00044915EB21D1EE2BD
SHA-256:	162980654ACC96296D24F624C3668DE6741FF528A10B4031DEC9FD3C658F0DBD
SHA-512:	84A61A3C3800DDF447877AB4F891C16B18CB676D6B1592533453312CB6EB7B47DACBD4BB32CF8F67FD9577331B77DE33BA4CC8AA38A8A056A7AF10069AC1D71E
Malicious:	false
Preview:	..<.?.x.m.l. .v.e.r.s.i.o.n.=.".1...0.". .e.n.c.o.d.i.n.g.=.".U.T.F.-.1.6.".?.>.....<.W.E.R.R.e.p.o.r.t.M.e.t.a.d.a.t.a.>.......<.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.........<.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.1.0...0.<./.W.i.n.d.o.w.s.N.T.V.e.r.s.i.o.n.>.........<.B.u.i.l.d.>.1.9.0.4.5.<./.B.u.i.l.d.>.........<.P.r.o.d.u.c.t.>.(.0.x.3.0.).:. .W.i.n.d.o.w.s. .1.0. .P.r.o.<./.P.r.o.d.u.c.t.>.........<.E.d.i.t.i.o.n.>.P.r.o.f.e.s.s.i.o.n.a.l.<./.E.d.i.t.i.o.n.>.........<.B.u.i.l.d.S.t.r.i.n.g.>.1.9.0.4.1...2.0.0.6...a.m.d.6.4.f.r.e...v.b._.r.e.l.e.a.s.e...1.9.1.2.0.6.-.1.4.0.6.<./.B.u.i.l.d.S.t.r.i.n.g.>.........<.R.e.v.i.s.i.o.n.>.2.0.0.6.<./.R.e.v.i.s.i.o.n.>.........<.F.l.a.v.o.r.>.M.u.l.t.i.p.r.o.c.e.s.s.o.r. .F.r.e.e.<./.F.l.a.v.o.r.>.........<.A.r.c.h.i.t.e.c.t.u.r.e.>.X.6.4.<./.A.r.c.h.i.t.e.c.t.u.r.e.>.........<.L.C.I.D.>.2.0.5.7.<./.L.C.I.D.>.......<./.O.S.V.e.r.s.i.o.n.I.n.f.o.r.m.a.t.i.o.n.>.......<.P.r.o.c.e.s.s.I.n.f.o.r.m.a.t.i.o.n.>.........<.P.i.d.>.6.3.6.<./.P.i.d.

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA572.tmp.xml

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	XML 1.0 document, ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	4981
Entropy (8bit):	4.5726407063925585
Encrypted:	false
SSDEEP:	48:cvIwWl8zsFJg77aI98PWpW8VY0a5Ym8M4J3eA+lFuwc+q8v+A+XHKcQIcQd0h0DT:uIjffI7ye7VOoJtRKUKku6Ldd
MD5:	173F57928115A579D0A869836636CFE4
SHA1:	DBFFBF5356AA4020395B72EF97B8EFE5865AC5D2
SHA-256:	21AF911ED3D7C56D5006061B7C57EBB8FA3B0428A7F17CFCFE595A0AE553626A
SHA-512:	E43731146B1A6804BFB5AC28C83BB4EC7BFBDEE9FEAD3CC9B09D3781A138F7661B3B355F3E8458CBDF386A5539C38E82B0BA34229E5B09D8272001157C9C50BE
Malicious:	false
Preview:	<?xml version="1.0" encoding="UTF-8" standalone="yes"?>..<req ver="2">.. <tlm>.. <src>.. <desc>.. <mach>.. <os>.. <arg nm="vermaj" val="10" />.. <arg nm="vermin" val="0" />.. <arg nm="verbld" val="19045" />.. <arg nm="vercsdbld" val="2006" />.. <arg nm="verqfe" val="2006" />.. <arg nm="csdbld" val="2006" />.. <arg nm="versp" val="0" />.. <arg nm="arch" val="9" />.. <arg nm="lcid" val="2057" />.. <arg nm="geoid" val="223" />.. <arg nm="sku" val="48" />.. <arg nm="domain" val="0" />.. <arg nm="prodsuite" val="256" />.. <arg nm="ntprodtype" val="1" />.. <arg nm="platid" val="2" />.. <arg nm="tmsi" val="562132" />.. <arg nm="osinsty" val="1" />.. <arg nm="iever" val="11.789.19041.0-11.0.1000" />.. <arg nm="portos" val="0" />.. <arg nm="ram" val="409

C:\Windows\appcompat\Programs\Amcache.hve

Download File

Process:	C:\Windows\SysWOW64\WerFault.exe
File Type:	MS Windows registry file, NT/2000 or above
Category:	dropped
Size (bytes):	1835008
Entropy (8bit):	4.3694013153930635
Encrypted:	false
SSDEEP:	6144:EFVfpi6ceLP/9skLmb0ayWWSPtaJG8nAge35OlMMhA2AX4WABlguNliL:EV1QyWWI/glMM6kF7/q
MD5:	EDEE239CC8EF143565471B4A81C8E242
SHA1:	28D1096E5FF33EFBD5741C95B51325C9D6F87118
SHA-256:	91FE5BA3B4984E2B91D6B6AFB39DD2DC2CEB4F9795C729E48792E415209E06DF
SHA-512:	07CB1AAD5BE7F59DA650E48BF8CE2A3FDA3197E0A759196CCCA72677F9FCF17002EBFE825A2D67C657D14C16E4DC0B5A51A7549CBF15EFC75D7FE2086E3A1B1F
Malicious:	false
Preview:	regfC...C....\.Z.................... ....0......\.A.p.p.C.o.m.p.a.t.\.P.r.o.g.r.a.m.s.\.A.m.c.a.c.h.e...h.v.e....c...b...#.......c...b...#...........c...b...#......rmtmB.+..(..............................................................................................................................................................................................................................................................................................................................................\|.<.........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

\Device\ConDrv

Download File

Process:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
File Type:	ASCII text, with no line terminators, with escape sequences
Category:	dropped
Size (bytes):	53
Entropy (8bit):	4.689815737418786
Encrypted:	false
SSDEEP:	3:YoRTxCx+q49Vg9ND:5FCxj4M9B
MD5:	4E5EAA5EDD9A5CCC5BA3FBC366C81217
SHA1:	0F4809FE5246C5705941577EAA1BA429A71021F0
SHA-256:	E97F3155C7BB79912EA1DCC882518274A59FEDC7D14E07C60B068B79A79C0E1C
SHA-512:	F5A9B69AD75B0F52B1C857C116D2A8E003F449C51A9D91AEA078B19A25565D186B4B4DE4BD913C5E4BD68BF75CB68B68BBF7F4727F9F8D54DBA8F8541C27C754
Malicious:	false
Preview:	.[38;2;146;79;255m[~].[0m Connecting to the server...

Static File Info

General

File type:	PE32 executable (console) Intel 80386, for MS Windows
Entropy (8bit):	6.657566619637477
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
File size:	1'236'992 bytes
MD5:	992a36edccd6fb4db6aad9c43329cb04
SHA1:	5276588b19a213b10a8c25c6c08e11d4621124d5
SHA256:	b157d6d7519daf5b2ca2b514d6291d3df5c1971884ff429e48045bd7161ca369
SHA512:	666b2936016fca2444d547698e231a938277a1e1c3096ebc8529ecdd6cf8e37a5031d1d59439918ac0eecc83b129f26eaf6bfb9f1f326f0168531d870260c676
SSDEEP:	24576:gu+4D/tSdf1y6zQOC7eZXjPBKZR2xim/KDRzstB:gQtSdflppb0ZRCimiDRYf
TLSH:	8045AE32B681D072E1C601B1606AABF65A7D69345B6188C7B7C06E7DCA203D16F36F1F
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........I6..'e..'e..'e...e..'e..#d..'e.E&d..'e.G.e..'e.G$d..'e.G#d..'e.G"d..'e.G&d..'e..&e<.'e.@.d..'e.@.e..'e...e..'e.@%d..'eRich..'

File Icon


Icon Hash:	0fcd1333134d1f0e

Static PE Info

General

Entrypoint:	0x444756
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows cui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x671A2FDC [Thu Oct 24 11:30:36 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	6
OS Version Minor:	0
File Version Major:	6
File Version Minor:	0
Subsystem Version Major:	6
Subsystem Version Minor:	0
Import Hash:	2e393828d40d2fd8900ef58c7c62e06f

Entrypoint Preview

Instruction
call 00007FC9D47B704Ch
jmp 00007FC9D47B68E9h
retn 0000h
push ebp
mov ebp, esp
and dword ptr [00506BF8h], 00000000h
sub esp, 28h
or dword ptr [004B9090h], 01h
push 0000000Ah
call dword ptr [004A10F8h]
test eax, eax
je 00007FC9D47B6D7Bh
push ebx
push esi
push edi
xor eax, eax
lea edi, dword ptr [ebp-28h]
xor ecx, ecx
push ebx
cpuid
mov esi, ebx
pop ebx
nop
mov dword ptr [edi], eax
mov dword ptr [edi+04h], esi
mov dword ptr [edi+08h], ecx
xor ecx, ecx
mov dword ptr [edi+0Ch], edx
mov eax, dword ptr [ebp-28h]
mov edi, dword ptr [ebp-24h]
mov dword ptr [ebp-04h], eax
xor edi, 756E6547h
mov eax, dword ptr [ebp-1Ch]
xor eax, 49656E69h
mov dword ptr [ebp-18h], eax
mov eax, dword ptr [ebp-20h]
xor eax, 6C65746Eh
mov dword ptr [ebp-14h], eax
xor eax, eax
inc eax
push ebx
cpuid
mov esi, ebx
pop ebx
nop
lea ebx, dword ptr [ebp-28h]
mov dword ptr [ebx], eax
mov eax, dword ptr [ebp-18h]
or eax, dword ptr [ebp-14h]
or eax, edi
mov dword ptr [ebx+04h], esi
mov dword ptr [ebx+08h], ecx
mov dword ptr [ebx+0Ch], edx
jne 00007FC9D47B6AABh
mov eax, dword ptr [ebp-28h]
and eax, 0FFF3FF0h
cmp eax, 000106C0h
je 00007FC9D47B6A95h
cmp eax, 00020660h
je 00007FC9D47B6A8Eh
cmp eax, 00020670h
je 00007FC9D47B6A87h
cmp eax, 00030650h
je 00007FC9D47B6A80h
cmp eax, 00030660h
je 00007FC9D47B6A79h
cmp eax, 00030670h
jne 00007FC9D47B6A79h

Rich Headers

Programming Language:

[IMP] VS2008 SP1 build 30729

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0xb5ed8	0x208	.rdata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x108000	0x22c20	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x12b000	0x62c4	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0xb2180	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xb21c0	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0xb20c0	0x40	.rdata
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0xa1000	0x6b0	.rdata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x9f1fc	0x9f200	2786dd19dc325e6ecd53d85610130304	False	0.4886678858994501	data	6.577665712001494	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.rdata	0xa1000	0x17c40	0x17e00	bd7fa78785f58d1f0c9c77ec2c095d5f	False	0.3919748036649215	data	5.635575515861512	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.data	0xb9000	0x4e1e8	0x4da00	f8cd3a11456809df1b2f086b21b4eb35	False	0.5262649708132046	data	6.469389322836828	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x108000	0x22c20	0x22e00	0f61c35135555a22656b45fbc670384e	False	0.49721382168458783	data	6.06443588461351	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0x12b000	0x62c4	0x6400	5468de62e230485b93ad67b10cc7c1d0	False	0.7203515625	data	6.682852540103243	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
RT_ICON	0x1081f0	0xa33d	PNG image data, 256 x 256, 8-bit/color RGBA, non-interlaced	Russian	Russia	0.9980138313910359
RT_ICON	0x112530	0x10828	Device independent bitmap graphic, 128 x 256 x 32, image size 65536, resolution 2835 x 2835 px/m	Russian	Russia	0.2503844788832367
RT_ICON	0x122d58	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16384, resolution 2835 x 2835 px/m	Russian	Russia	0.3471894189891356
RT_ICON	0x126f80	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9216, resolution 2835 x 2835 px/m	Russian	Russia	0.3970954356846473
RT_ICON	0x129528	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4096, resolution 2835 x 2835 px/m	Russian	Russia	0.48827392120075047
RT_ICON	0x12a5d0	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1024, resolution 2835 x 2835 px/m	Russian	Russia	0.649822695035461
RT_GROUP_ICON	0x12aa38	0x5a	data	Russian	Russia	0.7666666666666667
RT_MANIFEST	0x12aa98	0x188	XML 1.0 document, ASCII text, with CRLF line terminators	English	United States	0.5892857142857143

Imports

DLL	Import
MSVCP140.dll	_Thrd_detach, _Query_perf_counter, _Cnd_do_broadcast_at_thread_exit, ?cin@std@@3V?$basic_istream@DU?$char_traits@D@std@@@1@A, ?cout@std@@3V?$basic_ostream@DU?$char_traits@D@std@@@1@A, ?_Throw_Cpp_error@std@@YAXH@Z, _Query_perf_frequency, ?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ??7ios_base@std@@QBE_NXZ, ?getloc@ios_base@std@@QBE?AVlocale@2@XZ, ??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z, ??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z, ?imbue@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEXABVlocale@2@@Z, ?sync@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?setbuf@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEPAV12@PAD_J@Z, ?uflow@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAEHXZ, ?_Unlock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?_Lock@?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAEXXZ, ?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z, ?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?clear@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z, ?_Syserror_map@std@@YAPBDH@Z, ?id@?$ctype@D@std@@2V0locale@2@A, ?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z, ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z, ?_Xbad_function_call@std@@YAXXZ, ?_Winerror_map@std@@YAHH@Z, ?_Xbad_alloc@std@@YAXXZ, ?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z, ?flush@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV12@XZ, ?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z, ?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z, ?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ, ?uncaught_exception@std@@YA_NXZ, ??Bid@locale@std@@QAEIXZ, ?always_noconv@codecvt_base@std@@QBE_NXZ, ?good@ios_base@std@@QBE_NXZ, ??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ, ??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ, ?xsputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPBD_J@Z, ?xsgetn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JPAD_J@Z, ??1_Lockit@std@@QAE@XZ, ?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ, ?showmanyc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@MAE_JXZ, ??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ, ??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ, ?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z, ?eback@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IBEPADXZ, ?out@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ?in@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PBD1AAPBDPAD3AAPAD@Z, ??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z, ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ, ?setg@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXPAD00@Z, ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ, ??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ, ?unshift@?$codecvt@DDU_Mbstatet@@@std@@QBEHAAU_Mbstatet@@PAD1AAPAD@Z, ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z, ?_Xlength_error@std@@YAXPBD@Z, ?id@?$codecvt@DDU_Mbstatet@@@std@@2V0locale@2@A, ?_Xout_of_range@std@@YAXPBD@Z, ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ, ??0_Lockit@std@@QAE@H@Z, ?ignore@?$basic_istream@DU?$char_traits@D@std@@@std@@QAEAAV12@_JH@Z
ADVAPI32.dll	CryptAcquireContextA, CryptReleaseContext, CryptGetHashParam, CryptCreateHash, CryptHashData, CryptDestroyHash, CryptDestroyKey, CryptImportKey, CryptEncrypt, RegCloseKey, RegQueryValueExA, RegCreateKeyExA, RegSetValueExA, RegOpenKeyExA, LookupPrivilegeValueW, AdjustTokenPrivileges, CloseServiceHandle, OpenSCManagerW, ControlService, RegOpenKeyExW, RegGetValueW, OpenServiceW, QueryServiceStatusEx, CopySid, IsValidSid, ConvertSidToStringSidW, GetLengthSid, ConvertSidToStringSidA, GetUserNameA, OpenProcessToken, GetTokenInformation
KERNEL32.dll	TerminateProcess, SetUnhandledExceptionFilter, UnhandledExceptionFilter, SleepConditionVariableSRW, GetFileSizeEx, AcquireSRWLockExclusive, ReleaseSRWLockExclusive, GetLocaleInfoEx, FormatMessageA, MultiByteToWideChar, GetFileInformationByHandleEx, EnterCriticalSection, AreFileApisANSI, IsProcessorFeaturePresent, GetFileAttributesExW, FindFirstFileW, FindClose, CreateFileW, CreateDirectoryW, GetCurrentDirectoryW, OpenThread, SetThreadContext, CreateProcessA, IsDebuggerPresent, LeaveCriticalSection, SetEvent, WaitForSingleObject, CreateEventA, QueryPerformanceFrequency, GetSystemDirectoryA, FreeLibrary, MoveFileExA, WaitForSingleObjectEx, GetEnvironmentVariableA, GetFileType, ReadFile, PeekNamedPipe, QueryPerformanceCounter, GetCurrentThreadId, GetSystemTimeAsFileTime, InitializeSListHead, SetLastError, FormatMessageW, GetTickCount, WaitForMultipleObjects, SleepEx, WakeAllConditionVariable, VirtualProtect, GetModuleFileNameW, GetModuleHandleA, LoadLibraryW, GetProcAddress, GetModuleHandleW, GetCurrentProcess, CloseHandle, LocalFree, WriteProcessMemory, Sleep, LoadLibraryA, VirtualProtectEx, VirtualAllocEx, ReadProcessMemory, CreateRemoteThread, VirtualFreeEx, GetExitCodeProcess, GetModuleFileNameA, HeapFree, InitializeCriticalSectionEx, HeapSize, GetLastError, HeapReAlloc, CreateThread, HeapAlloc, HeapDestroy, DeleteCriticalSection, GetProcessHeap, WideCharToMultiByte, VirtualFree, GetStdHandle, GetShortPathNameW, SetConsoleMode, VirtualAlloc, Thread32Next, GetEnvironmentVariableW, GetWriteWatch, Thread32First, SuspendThread, HeapWalk, ResumeThread, OpenProcess, GetConsoleMode, GetTickCount64, Process32NextW, CreateFileA, GetCurrentThread, Process32FirstW, RaiseException, GetSystemInfo, GetThreadContext, VerSetConditionMask, GetCurrentProcessId, VerifyVersionInfoW, OutputDebugStringW
USER32.dll	MessageBoxA, FindWindowW
SHELL32.dll	ShellExecuteW, ShellExecuteA
SHLWAPI.dll	PathFindFileNameW
RPCRT4.dll	RpcStringFreeA, UuidToStringA, UuidCreate
USERENV.dll	UnloadUserProfile
VCRUNTIME140.dll	memmove, memcpy, wcsstr, memchr, strstr, __CxxFrameHandler3, __std_exception_destroy, strchr, _except_handler4_common, memset, strrchr, __std_terminate, __current_exception_context, __std_exception_copy, __current_exception, _CxxThrowException
api-ms-win-crt-stdio-l1-1-0.dll	__p__commode, fflush, fclose, fputs, _close, __stdio_common_vsscanf, fgetc, __stdio_common_vswprintf, __stdio_common_vfprintf, _fileno, feof, __acrt_iob_func, _lseeki64, fseek, fwrite, ftell, fgetpos, _popen, setvbuf, ungetc, __stdio_common_vsprintf, _write, _read, fgets, fputc, _pclose, fsetpos, fread, _fseeki64, _open, _set_fmode, _get_stream_buffer_pointers, fopen
api-ms-win-crt-filesystem-l1-1-0.dll	_unlink, rename, _access, _lock_file, _unlock_file, _stat64, _fstat64
api-ms-win-crt-string-l1-1-0.dll	strncpy, _strdup, strspn, strcspn, strncmp, strpbrk, strcat_s
api-ms-win-crt-runtime-l1-1-0.dll	_beginthreadex, terminate, _resetstkoflw, _errno, system, __sys_nerr, __sys_errlist, exit, _controlfp_s, _invalid_parameter_noinfo, _invalid_parameter_noinfo_noreturn, _register_thread_local_exe_atexit_callback, _c_exit, __p___wargv, __p___argc, _exit, _initterm_e, _initterm, _get_initial_wide_environment, _initialize_wide_environment, _configure_wide_argv, abort, _set_app_type, _seh_filter_exe, _cexit, _crt_atexit, _register_onexit_function, _initialize_onexit_table
api-ms-win-crt-heap-l1-1-0.dll	calloc, _recalloc, _callnewh, realloc, free, malloc, _set_new_mode
api-ms-win-crt-math-l1-1-0.dll	__setusermatherr, _dsign, _fdopen, _dclass
api-ms-win-crt-convert-l1-1-0.dll	strtoul, atoi, strtol, strtoull, strtoll, strtod, wcstombs
api-ms-win-crt-time-l1-1-0.dll	_time64, strftime, _localtime64, _localtime64_s, _gmtime64
api-ms-win-crt-locale-l1-1-0.dll	_configthreadlocale, localeconv, ___lc_codepage_func
api-ms-win-crt-environment-l1-1-0.dll	getenv
api-ms-win-crt-utility-l1-1-0.dll	qsort, srand, rand
bcrypt.dll	BCryptGenRandom
Normaliz.dll	IdnToAscii, IdnToUnicode
WLDAP32.dll
CRYPT32.dll	CertOpenStore, CertEnumCertificatesInStore, CertFindCertificateInStore, CertFreeCertificateContext, CryptStringToBinaryA, PFXImportCertStore, CryptDecodeObjectEx, CertAddCertificateContextToStore, CertFindExtension, CertGetNameStringA, CryptQueryObject, CertCreateCertificateChainEngine, CertFreeCertificateChainEngine, CertGetCertificateChain, CertFreeCertificateChain, CertCloseStore
WS2_32.dll	send, WSACloseEvent, WSACreateEvent, WSAEnumNetworkEvents, WSAEventSelect, WSAResetEvent, WSAWaitForMultipleEvents, closesocket, WSASetLastError, WSAGetLastError, ntohs, WSAStartup, WSACleanup, setsockopt, WSAIoctl, htons, getsockopt, socket, __WSAFDIsSet, select, accept, bind, connect, getsockname, htonl, listen, recv, getaddrinfo, freeaddrinfo, recvfrom, sendto, getpeername, ioctlsocket, gethostname

Possible Origin

Language of compilation system	Country where language is spoken	Map
Russian	Russia
English	United States

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:50:02.311584949 CET	49706	443	192.168.2.8	104.26.0.5
Oct 27, 2024 18:50:02.311625004 CET	443	49706	104.26.0.5	192.168.2.8
Oct 27, 2024 18:50:02.311696053 CET	49706	443	192.168.2.8	104.26.0.5
Oct 27, 2024 18:50:02.324100971 CET	49706	443	192.168.2.8	104.26.0.5
Oct 27, 2024 18:50:02.324117899 CET	443	49706	104.26.0.5	192.168.2.8
Oct 27, 2024 18:50:02.939691067 CET	443	49706	104.26.0.5	192.168.2.8
Oct 27, 2024 18:50:02.939763069 CET	49706	443	192.168.2.8	104.26.0.5
Oct 27, 2024 18:50:04.378292084 CET	49706	443	192.168.2.8	104.26.0.5
Oct 27, 2024 18:50:04.378319979 CET	443	49706	104.26.0.5	192.168.2.8
Oct 27, 2024 18:50:04.378451109 CET	49706	443	192.168.2.8	104.26.0.5
Oct 27, 2024 18:50:04.378566027 CET	443	49706	104.26.0.5	192.168.2.8
Oct 27, 2024 18:50:04.378617048 CET	49706	443	192.168.2.8	104.26.0.5

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 27, 2024 18:50:02.300498962 CET	50869	53	192.168.2.8	1.1.1.1
Oct 27, 2024 18:50:02.308490038 CET	53	50869	1.1.1.1	192.168.2.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 27, 2024 18:50:02.300498962 CET	192.168.2.8	1.1.1.1	0x2c1f	Standard query (0)	keyauth.win	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Oct 27, 2024 18:50:02.308490038 CET	1.1.1.1	192.168.2.8	0x2c1f	No error (0)	keyauth.win	104.26.0.5	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:50:02.308490038 CET	1.1.1.1	192.168.2.8	0x2c1f	No error (0)	keyauth.win	104.26.1.5	A (IP address)	IN (0x0001)	false
Oct 27, 2024 18:50:02.308490038 CET	1.1.1.1	192.168.2.8	0x2c1f	No error (0)	keyauth.win	172.67.72.57	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	13:49:58
Start date:	27/10/2024
Path:	C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe"
Imagebase:	0xa0000
File size:	1'236'992 bytes
MD5 hash:	992A36EDCCD6FB4DB6AAD9C43329CB04
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	13:49:58
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	13:50:01
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c cls
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	13:50:01
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5 \| find /i /v "md5" \| find /i /v "certutil"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	13:50:01
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\certutil.exe
Wow64 process (32bit):	true
Commandline:	certutil -hashfile "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe" MD5
Imagebase:	0x2d0000
File size:	1'277'440 bytes
MD5 hash:	0DDA4F16AE041578B4E250AE12E06EB1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	13:50:01
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /i /v "md5"
Imagebase:	0x760000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	13:50:01
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\find.exe
Wow64 process (32bit):	true
Commandline:	find /i /v "certutil"
Imagebase:	0x760000
File size:	14'848 bytes
MD5 hash:	15B158BC998EEF74CFDD27C44978AEA0
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	13:50:03
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c start cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	13:50:03
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C "color b && title Error && echo SSL connect error && timeout /t 5"
Imagebase:	0xa40000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	13:50:03
Start date:	27/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6ee680000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	13:50:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\timeout.exe
Wow64 process (32bit):	true
Commandline:	timeout /t 5
Imagebase:	0xef0000
File size:	25'088 bytes
MD5 hash:	976566BEEFCCA4A159ECBDB2D4B1A3E3
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	13:50:04
Start date:	27/10/2024
Path:	C:\Windows\SysWOW64\WerFault.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\SysWOW64\WerFault.exe -u -p 636 -s 1128
Imagebase:	0x270000
File size:	483'680 bytes
MD5 hash:	C31336C1EFC2CCB44B4326EA793040F2
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	6.3%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	29.6%
Total number of Nodes:	1171
Total number of Limit Nodes:	51

Executed Functions

Function 000B21F0 Relevance: 74.0, APIs: 37, Strings: 4, Instructions: 2272windowsleepthreadCOMMON

Download Yara Rule

APIs

CreateThread.KERNELBASE(00000000,00000000,000BDA40,00000000,00000000,00000000), ref: 000B225B
UuidCreate.RPCRT4(?), ref: 000B22AF
UuidToStringA.RPCRT4(?,?), ref: 000B22CD
RpcStringFreeA.RPCRT4(00000000), ref: 000B22FF

Part of subcall function 000BF790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,000B24D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 000BF7CF

Part of subcall function 000B4960: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,7096605D,?,?,?,?,?,?,?,?,DDCCC48D), ref: 000B4A4C

memmove.VCRUNTIME140(00000000,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B295D
memmove.VCRUNTIME140(00000000,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B2A61
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 000B3003
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B300B
memset.VCRUNTIME140(?,00000000,000000B8,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B301F
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B303F
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B3064
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B309E
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B30C2

Part of subcall function 000C10E0: ?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000001,?,00000040,7096605D,?,?,?,000B3106,?,00000001,00000000,?,?,?,?,?), ref: 000C1120
Part of subcall function 000C10E0: ?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,000B3106,?,00000001,00000000,?,?,?,?,?,?,00000000,?), ref: 000C113D
Part of subcall function 000C10E0: _get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,?), ref: 000C1165
Part of subcall function 000C10E0: ?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,000B3106,?,00000001,00000000,?,?), ref: 000C11AA
Part of subcall function 000C10E0: ?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,?,?,?,000B3106,?,00000001), ref: 000C11C2

fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000B331B

Part of subcall function 000C3770: memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 000C382F
Part of subcall function 000C3770: memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 000C3840

MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 000B38F3
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 000B38FB
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,?,00000001,00000000,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000), ref: 000B311D

Part of subcall function 000C1260: memmove.VCRUNTIME140(?,?,000BAFF8,00000000,?,?,000BAFF8,?,?), ref: 000C128D

?widen@?$basic_ios@DU?$char_traits@D@std@@@std@@QBEDD@Z.MSVCP140(0000000A,?,00000001,00000000,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B31A6
_popen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,0014FB2C,?,?,?,?,?,?,?,?,00000000,?,00000001,0000000F,00000000,00000000), ref: 000B329C
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,00000000,?,?,?,?,?,?,?,?,?,?,00000000,?,00000001), ref: 000B32D0
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,?,DDDEC9C6,?,00000001), ref: 000B3A56
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 000B3A78
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 000B3A9A
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 000B3AD4
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(000AF740), ref: 000B3B93
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(00000001,00000002,00000000), ref: 000B3BB0
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000000), ref: 000B3BD8
Sleep.KERNEL32(00000064,?,FDDAC9C5,?,00000001,?,CDCED9D8,?,00000001,00000000,?,message,success,?), ref: 000B3F34
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,DDDEC9C6,?,00000001,CFDBC2C2,?,?,?), ref: 000B4182
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(?,?), ref: 000B418E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000B434F
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 000B468C
ShellExecuteA.SHELL32(00000000,00000000,?,00000000,00000000,00000001), ref: 000B46C9
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,00000000,00000001,?,?,?,?,00000001,?,?), ref: 000B46D1
MessageBoxA.USER32(00000000,00000000,00000000,00000010), ref: 000B475D
exit.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000), ref: 000B4765
_CxxThrowException.VCRUNTIME140(?,00155DA0,?,?), ref: 000B47B4

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 000B3CD9
success, xrefs: 000B3D04
certutil -hashfile ", xrefs: 000B3219
message, xrefs: 000B3D20

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$memmove$Messageexit$??0?$basic_ios@??0?$basic_streambuf@??6?$basic_ostream@CreateInit@?$basic_streambuf@StringUuidV01@V?$basic_streambuf@_invalid_parameter_noinfo_noreturnfgetsmemset$??0?$basic_iostream@??0?$basic_istream@??1?$basic_ios@??1?$basic_iostream@?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@?setstate@?$basic_ios@?setw@std@@?widen@?$basic_ios@D@std@@@1@@D@std@@@1@_ExceptionExecuteFiopen@std@@FreeJ@1@_ShellSleepSmanip@_ThreadThrowU?$_U_iobuf@@V21@@Vios_base@1@Vlocale@2@_get_stream_buffer_pointers_popen
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $certutil -hashfile "$message$success
API String ID: 1436105476-171691153
Opcode ID: 04b2bb4178dd515b6dce377b971cf9cd00b7c023737c2d41ba33373ad6399d8c
Instruction ID: cf36c52cad4ac924eefee5fb17c0deb74ec0cc4de50b6e0e0d5d225adcab99fa
Opcode Fuzzy Hash: 04b2bb4178dd515b6dce377b971cf9cd00b7c023737c2d41ba33373ad6399d8c
Instruction Fuzzy Hash: 1733AE70C042988FDB2ACB24CC987EDBBB5AF55304F1482D9E44967292DB756BC8CF51

Function 000CEDB0 Relevance: 62.1, APIs: 27, Strings: 8, Instructions: 881
memorylibrarythreadCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleW.KERNEL32(ntdll.dll,NtSetInformationThread), ref: 000CEDDC
GetProcAddress.KERNEL32(00000000), ref: 000CEDE3
NtSetInformationThread.NTDLL(000000FE,00000011,00000000,00000000), ref: 000CEDF5
VirtualAlloc.KERNELBASE(00000000,00004000,00003000,00000004,?,?), ref: 000CEEF9
VirtualAlloc.KERNELBASE(00000000,01000000,00203000,00000004), ref: 000CEF13
VirtualFree.KERNEL32(00000000,00000000,00008000), ref: 000CEF2A
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?), ref: 000CEF4E
GetShortPathNameW.KERNEL32(?,?,00000104), ref: 000CEF6A
GetEnvironmentVariableW.KERNEL32(?,?,00000104), ref: 000CF2CF
ShellExecuteW.SHELL32(00000000,00000000,?,?,00000000,00000000), ref: 000CF2F1
GetCurrentProcess.KERNEL32(00000001), ref: 000CF2FF
NtTerminateProcess.NTDLL(00000000), ref: 000CF306
GetWriteWatch.KERNELBASE(00000000,00000000,00001000,00000000,?), ref: 000CF3A3
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 000CF3BE
VirtualFree.KERNELBASE(00000000,00000000,00008000), ref: 000CF3C8
GetModuleHandleW.KERNEL32(00000000,?,?), ref: 000CF4B1
LoadLibraryA.KERNEL32(?,?,?,?,00000000), ref: 000CF6F1
GetProcAddress.KERNEL32(00000000,CsrGetProcessId), ref: 000CF701
OpenProcess.KERNEL32(00000400,00000000,00000000), ref: 000CF715
CloseHandle.KERNEL32(00000000), ref: 000CF720
CreateFileA.KERNELBASE(?,80000000,00000000,00000000,00000003,00000000,00000000,?,?), ref: 000CF9FD
CloseHandle.KERNELBASE(00000000), ref: 000CFA0D
GetProcessHeap.KERNEL32(?,?,?), ref: 000CFB58
HeapWalk.KERNEL32(00000000), ref: 000CFB5F
memset.VCRUNTIME140(?,00000000,000002C8,?,?,?,?,?,?), ref: 000D017D
GetCurrentThread.KERNEL32 ref: 000D0190
GetThreadContext.KERNEL32(00000000,00010010), ref: 000D019F

Strings

Rj@", xrefs: 000CF1F0
CsrGetProcessId, xrefs: 000CF6FB
>jL", xrefs: 000CEF8E
d, xrefs: 000CF340
RPsu, xrefs: 000CF826
ntdll.dll, xrefs: 000CEDD3
NtSetInformationThread, xrefs: 000CEDCC
P-Fw, xrefs: 000CF2F7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$HandleProcess$FreeModuleThread$AddressAllocCloseCurrentFileHeapNameProc$ContextCreateEnvironmentExecuteInformationLibraryLoadOpenPathShellShortTerminateVariableWalkWatchWritememset
String ID: >jL"$CsrGetProcessId$NtSetInformationThread$P-Fw$RPsu$Rj@"$d$ntdll.dll
API String ID: 2524847058-2002229670
Opcode ID: 44254b9d22cb0030d18785c83fb20eb6832cf50ec525d0a1bd2ec130f3a2988a
Instruction ID: b1835f89abd7ffe3ea1ca1f79b9bc363c532450c241231b0395c52b3d373905a
Opcode Fuzzy Hash: 44254b9d22cb0030d18785c83fb20eb6832cf50ec525d0a1bd2ec130f3a2988a
Instruction Fuzzy Hash: F5B2DCB86493808BD779CF28D484BEEBBE5BF89300F004A1DE9DD97251EB705A45CB46

Function 000D1670 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 264
libraryloaderinjectionCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetCurrentProcessId.KERNEL32(?,?,?,?), ref: 000D1816
OpenProcess.KERNEL32(001FFFFF,00000000,00000000), ref: 000D1824
LoadLibraryW.KERNELBASE(?), ref: 000D187E
GetProcAddress.KERNEL32(00000000,001516A4), ref: 000D1897
GetModuleHandleA.KERNEL32(00000000), ref: 000D18AD
wcsstr.VCRUNTIME140(00000000,?), ref: 000D1907
wcsstr.VCRUNTIME140(3545065E,?), ref: 000D195B
VirtualProtectEx.KERNEL32(?,00000000,00000000,00000040,3545065E), ref: 000D1980
WriteProcessMemory.KERNEL32(?,00000000,00000000,00000000,00000000), ref: 000D1999
VirtualProtectEx.KERNEL32(?,00000000,00000000,3545065E,00000000), ref: 000D19B7
CloseHandle.KERNELBASE(?), ref: 000D19D2

Strings

][B, xrefs: 000D16E7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Process$HandleProtectVirtualwcsstr$AddressCloseCurrentLibraryLoadMemoryModuleOpenProcWrite
String ID: ][B
API String ID: 1383684886-3797712168
Opcode ID: 54c285eb90f1501753abe67b01c7a026881badabcdc709f3f4d5e9aa002abec6
Instruction ID: c0ce73a3a09fee1ba37df3327ed7ceced62aee9ca035d7d9064144f4c6b6d07e
Opcode Fuzzy Hash: 54c285eb90f1501753abe67b01c7a026881badabcdc709f3f4d5e9aa002abec6
Instruction Fuzzy Hash: 83C124B5D00219ABCB15CFE9D8546EEFBB1FF49300F04856AE825A7350EB746A41CF90

Function 000EC150 Relevance: 18.5, APIs: 12, Instructions: 493
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e65a62d20bb8404faa81a5a5e64e3bdac208b4409ac18269e02620e64d28cb29
Instruction ID: 80ecd62e1f8137b4c9ab280723ec9dba8e75fc55d720b18eef0c31da63acaf86
Opcode Fuzzy Hash: e65a62d20bb8404faa81a5a5e64e3bdac208b4409ac18269e02620e64d28cb29
Instruction Fuzzy Hash: 80127DB56083819FE760CF26C880B6BB7E4BF88304F44482EF9D9A7251D776E945CB52

Function 0010D550 Relevance: 12.3, APIs: 8, Instructions: 265
networksleepCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSASetLastError.WS2_32(00002726,?), ref: 0010D5BB
WSASetLastError.WS2_32(00002726), ref: 0010D73C
select.WS2_32(?,?,?,?,00000000), ref: 0010D7B4
WSAGetLastError.WS2_32(?,?), ref: 0010D7C5
__WSAFDIsSet.WS2_32(?,?), ref: 0010D807
__WSAFDIsSet.WS2_32(?,?), ref: 0010D845
__WSAFDIsSet.WS2_32(?,?), ref: 0010D863
Sleep.KERNEL32(FFFFFFFE), ref: 0010D8C0

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast$Sleepselect
String ID:
API String ID: 2806104629-0
Opcode ID: f9d2c468335007b0e3585699d16f4140e53bfb9c64d0e8e7c3bbf68156c4d0c3
Instruction ID: 933db15150a6a3014274e9baa76583303233d22741fc36b72bee2cea5d6dfd77
Opcode Fuzzy Hash: f9d2c468335007b0e3585699d16f4140e53bfb9c64d0e8e7c3bbf68156c4d0c3
Instruction Fuzzy Hash: 5CA1D170A043418BD7359F68E89566AB2E5FF98324F544A2EE8D9C31D0EBB5C980CB42

Function 000D0910 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 271
librarymemoryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNEL32(?,?,?,?,?), ref: 000D0A46
GetProcAddress.KERNEL32(00000000,?), ref: 000D0ACF
VirtualAlloc.KERNELBASE(00000000,?,00001000,00000004), ref: 000D0B03
VirtualFree.KERNELBASE(?,00000000,00008000), ref: 000D0CDE

Strings

UjJ", xrefs: 000D0B40

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AddressAllocFreeLibraryLoadProc
String ID: UjJ"
API String ID: 3087743119-1193379857
Opcode ID: a38d6d2bc4cdb523a64aa767961b5c64940fd15f59f529259f5bb917c2f162a9
Instruction ID: 21155d70554d7dc0f1b7cee5c552b5176f48aa676a7bbe6ecd6516ee3a20bd65
Opcode Fuzzy Hash: a38d6d2bc4cdb523a64aa767961b5c64940fd15f59f529259f5bb917c2f162a9
Instruction Fuzzy Hash: 30D1B1B4E042199BDB15CF98D881AEEFBB1FF09310F14829AE969BB351D7305A81CF54

Function 000BA610 Relevance: 7.4, APIs: 3, Strings: 1, Instructions: 428stringCOMMON

Download Yara Rule

APIs

Part of subcall function 000E4E80: AcquireSRWLockExclusive.KERNEL32(001A6C18,?,000B2662,?,?,00000000,00000000,?,?,0000000F,00000000,00000000), ref: 000E4E86
Part of subcall function 000E4E80: ReleaseSRWLockExclusive.KERNEL32(001A6C18,00000000,00000000), ref: 000E4EAA

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BA731
strstr.VCRUNTIME140(00000000,?), ref: 000BAA0D
strstr.VCRUNTIME140(00000000,89D9C9E7), ref: 000BAA43

Strings

keyauth.win, xrefs: 000BA791

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ExclusiveLockstrstr$AcquireRelease_invalid_parameter_noinfo_noreturn
String ID: keyauth.win
API String ID: 3875448324-3879341233
Opcode ID: a325a6899bb2aedabc2cdef0a124909ee5acf8d5a3bf6a7aa486a5cc53c8c25d
Instruction ID: 058ffb996102aca872d415e1a8c10f2cac1d6a7842f21c20e0c1d1280e3586bb
Opcode Fuzzy Hash: a325a6899bb2aedabc2cdef0a124909ee5acf8d5a3bf6a7aa486a5cc53c8c25d
Instruction Fuzzy Hash: EDF11571D106888BDB02DF78DC867EEB7B5AF16304F148359E8047B253EB71AAC58B91

Function 000D0E60 Relevance: 4.6, APIs: 3, Instructions: 108memoryCOMMON

Download Yara Rule

APIs

GetSystemInfo.KERNELBASE(?,00000000,?,?,?,7096605D,?,?), ref: 000D0F12
VirtualAlloc.KERNELBASE(00000000,?,00003000,00000040), ref: 000D0F25
VirtualProtect.KERNELBASE(00000000,?,00000140,00000000), ref: 000D0F58

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$AllocInfoProtectSystem
String ID:
API String ID: 284756817-0
Opcode ID: 5db721347ca283a38e369facb562178c8d71acb0eb451982579f2b333ac038ac
Instruction ID: 224d458b4b23d57575330e43477002c6b8e3eae636ae95e856f137b5c0516f30
Opcode Fuzzy Hash: 5db721347ca283a38e369facb562178c8d71acb0eb451982579f2b333ac038ac
Instruction Fuzzy Hash: E94147B1D04348AFCB54CFF9D881BEEBBF8AB49710F10822EE515FB285E63459058B61

Function 000FF5C0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 188
libraryloadernetworkCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

WSAStartup.WS2_32(00000202,?), ref: 000FF5E8
WSACleanup.WS2_32 ref: 000FF601
GetModuleHandleA.KERNEL32(kernel32,?,00000000), ref: 000FF638
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 000FF65C
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(iphlpapi.dll,00145864,?,?,00000000), ref: 000FF66A
LoadLibraryA.KERNEL32(iphlpapi.dll), ref: 000FF692
GetProcAddress.KERNEL32(00000000,AddDllDirectory), ref: 000FF6A9
LoadLibraryExA.KERNELBASE(iphlpapi.dll,00000000,00000800), ref: 000FF6BB
GetSystemDirectoryA.KERNEL32(00000000,00000000), ref: 000FF6C8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(0000000D), ref: 000FF6DE
GetSystemDirectoryA.KERNEL32(00000000,?), ref: 000FF6F2
LoadLibraryA.KERNEL32(00000000), ref: 000FF74B
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000FF754
GetProcAddress.KERNEL32(00000000,if_nametoindex), ref: 000FF76E
GetModuleHandleA.KERNEL32(ws2_32), ref: 000FF786
GetProcAddress.KERNEL32(00000000,FreeAddrInfoExW), ref: 000FF798
GetProcAddress.KERNEL32(00000000,GetAddrInfoExCancel), ref: 000FF7A5
GetProcAddress.KERNEL32(00000000,GetAddrInfoExW), ref: 000FF7B2
QueryPerformanceFrequency.KERNEL32(001A71E0), ref: 000FF7F1

Strings

ws2_32, xrefs: 000FF781
AddDllDirectory, xrefs: 000FF6A3
GetAddrInfoExCancel, xrefs: 000FF79A
FreeAddrInfoExW, xrefs: 000FF792
if_nametoindex, xrefs: 000FF768
iphlpapi.dll, xrefs: 000FF663, 000FF67F, 000FF68D, 000FF6B6, 000FF721
GetAddrInfoExW, xrefs: 000FF7A7
LoadLibraryExA, xrefs: 000FF656
kernel32, xrefs: 000FF631

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: AddressProc$LibraryLoad$DirectoryHandleModuleSystem$CleanupFrequencyPerformanceQueryStartupfreemallocstrpbrk
String ID: AddDllDirectory$FreeAddrInfoExW$GetAddrInfoExCancel$GetAddrInfoExW$LoadLibraryExA$if_nametoindex$iphlpapi.dll$kernel32$ws2_32
API String ID: 2955908671-760012282
Opcode ID: a089563037c010ce136aa61f173733dfd9a27a5aa60800ae17c6b7d49e3d2c8c
Instruction ID: 0ebb439823efcd0d52b262150bb23085269a4656f6a01af16fbcc3c95bf1ec17
Opcode Fuzzy Hash: a089563037c010ce136aa61f173733dfd9a27a5aa60800ae17c6b7d49e3d2c8c
Instruction Fuzzy Hash: D551383474830BBBE7206B319C46F7A7BD59F46B45F080038FB45A6AF2EFA18841D651

Function 000D1000 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 304
registryCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

memset.VCRUNTIME140(?,00000000,000000FF,?,?,?,?), ref: 000D11F1
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000,?,?,?), ref: 000D121E
RegGetValueW.KERNELBASE(00000000,00000000,SystemManufacturer,00000002,00000000,?,000000FF), ref: 000D1249
memset.VCRUNTIME140(?,00000000,000000FF), ref: 000D12A5
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000), ref: 000D12CC
RegGetValueW.KERNELBASE(00000000,00000000,BIOSVendor,00000002,00000000,?,000000FF), ref: 000D12F1
memset.VCRUNTIME140(?,00000000,000000FF), ref: 000D1347
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000), ref: 000D136E
RegGetValueW.KERNELBASE(00000000,00000000,SystemFamily,00000002,00000000,?,000000FF), ref: 000D1393
memset.VCRUNTIME140(?,00000000,000000FF), ref: 000D13E9
RegOpenKeyExW.KERNELBASE(80000002,SYSTEM\HardwareConfig\Current\,00000000,00000001,00000000), ref: 000D1410
RegGetValueW.KERNELBASE(00000000,00000000,SystemProductName,00000002,00000000,?,000000FF), ref: 000D1435

Strings

SystemManufacturer, xrefs: 000D123C
SystemFamily, xrefs: 000D1386
SystemProductName, xrefs: 000D1428
Microsoft Corporation, xrefs: 000D124F, 000D12F7
Virtual Machine, xrefs: 000D1399, 000D143B
BIOSVendor, xrefs: 000D12E4
SYSTEM\HardwareConfig\Current\, xrefs: 000D1214, 000D12C2, 000D1364, 000D1406

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: OpenValuememset
String ID: BIOSVendor$Microsoft Corporation$SYSTEM\HardwareConfig\Current\$SystemFamily$SystemManufacturer$SystemProductName$Virtual Machine
API String ID: 1838555039-2738853297
Opcode ID: a21914a9700a8bbf888c3c123dba7ce5c5cf80dbe1de2b00b84624cf9e9328ee
Instruction ID: 46635c0a5c1c51c7ba79fca98bde32d80f5400482f278380c931f3f84b98bd73
Opcode Fuzzy Hash: a21914a9700a8bbf888c3c123dba7ce5c5cf80dbe1de2b00b84624cf9e9328ee
Instruction Fuzzy Hash: 36C150F5900318AADB708F148C81BE9B7B9AF15704F4441EADB49B7242EB715FC98F68

Function 000FF410 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 148
librarystringloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,00130B8D,security.dll,00000004,00000000,00000000,00000002,00000002,000FF626), ref: 000FF41A
GetProcAddress.KERNEL32(00000000,LoadLibraryExA), ref: 000FF432
strpbrk.API-MS-WIN-CRT-STRING-L1-1-0(?,00145864,?,?,?,security.dll,00130B8D,security.dll,00000004,00000000,00000000,00000002,00000002,000FF626), ref: 000FF444

Strings

AddDllDirectory, xrefs: 000FF477
LoadLibraryExA, xrefs: 000FF42C
security.dll, xrefs: 000FF410
kernel32, xrefs: 000FF413

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProcstrpbrk
String ID: AddDllDirectory$LoadLibraryExA$kernel32$security.dll
API String ID: 27745253-2138446276
Opcode ID: 8419f8357b890b14c1b6b40d86d5f65fbb1e2a9dec707a355f2a1c8165b9c881
Instruction ID: 564cfd103795d4f5186ae1872bb0ef5d2992d8e1a4080469720aaec665abc0cc
Opcode Fuzzy Hash: 8419f8357b890b14c1b6b40d86d5f65fbb1e2a9dec707a355f2a1c8165b9c881
Instruction Fuzzy Hash: 0E416B7A3003066BEB101F39BC447B77789DF82766F284179FB02C7A52EF62D44A9260

Function 000D2010 Relevance: 23.2, APIs: 12, Strings: 1, Instructions: 423
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameW.KERNEL32(00000000,?,00000104,7096605D,-00000001,C8593A89), ref: 000D205F
memset.VCRUNTIME140(?,00000000,00000100,?,?), ref: 000D20EF
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,00000000,00000000,00000000,00000000,?,00000000,?,?), ref: 000D222E
WideCharToMultiByte.KERNEL32(0000FDE9,00000000,?,000000FF,?,00000000,00000000,00000000), ref: 000D2278
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000D22B0
_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000), ref: 000D22DE
srand.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000), ref: 000D22EE
rand.API-MS-WIN-CRT-UTILITY-L1-1-0(?,?), ref: 000D258C
rand.API-MS-WIN-CRT-UTILITY-L1-1-0 ref: 000D25B0
strcat_s.API-MS-WIN-CRT-STRING-L1-1-0(00000000,00000014,.exe), ref: 000D25F9
rename.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?,00000000), ref: 000D261B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000D26DD

Strings

.exe, xrefs: 000D25E9

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharMultiWide_invalid_parameter_noinfo_noreturnrand$FileModuleName_time64memsetrenamesrandstrcat_s
String ID: .exe
API String ID: 187646111-4119554291
Opcode ID: db819a287cb3ca3851c729cb39b63312a51848b0995a8f114bf23e7122cc29db
Instruction ID: 5c0353f9f7dc6bda47800db796cc1bb3f7fe64ad17e5aba760f86d37ab23c73c
Opcode Fuzzy Hash: db819a287cb3ca3851c729cb39b63312a51848b0995a8f114bf23e7122cc29db
Instruction Fuzzy Hash: 471248749042289BDB26CF28CC99BADB7B8EB55304F1042DAE54DA7290DBB06FC5CF50

Function 000EF230 Relevance: 17.6, APIs: 9, Strings: 1, Instructions: 69
synchronizationCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

EnterCriticalSection.KERNEL32(?,000006DC,?,00000000,00000088,000F6784,00000000), ref: 000EF6F0
LeaveCriticalSection.KERNEL32(?,?,00000000,00000088,000F6784,00000000), ref: 000EF703
CloseHandle.KERNEL32(00000000,?,00000000,00000088,000F6784,00000000), ref: 000EF714
GetAddrInfoExCancel.WS2_32(?), ref: 000EF731
WaitForSingleObject.KERNEL32(?,000000FF,?,00000000,00000088,000F6784,00000000), ref: 000EF73B
CloseHandle.KERNELBASE(?,?,00000000,00000088,000F6784,00000000), ref: 000EF743
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,00000000,00000088,000F6784,00000000), ref: 000EF767
closesocket.WS2_32(?), ref: 000EF77E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000088,000F6784,00000000), ref: 000EF78F

Strings

4, xrefs: 000EF230

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalHandleSectionfree$AddrCancelEnterInfoLeaveObjectSingleWaitclosesocket
String ID: 4
API String ID: 3257786090-2200918444
Opcode ID: 6eee0ff98ca47c50443bb0b2b717a0038ad761636f4ec03dd9bb68722676585e
Instruction ID: 751834362318c768839cbac680c96d974e176b1877e6c8018aecfdb1305dc7dc
Opcode Fuzzy Hash: 6eee0ff98ca47c50443bb0b2b717a0038ad761636f4ec03dd9bb68722676585e
Instruction Fuzzy Hash: F021C2B5404242FFDB10AF61DC49AA6BBB8FF05312F040024FA4992971D732F8A4DBD1

Function 000BAE00 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 228
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

GetModuleFileNameA.KERNEL32(00000000,?,00000104,7096605D,?,?), ref: 000BAE67
_popen.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,0014FB2C,?), ref: 000BAF89
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,00000000), ref: 000BAFC1
fgets.API-MS-WIN-CRT-STDIO-L1-1-0(?,00000080,00000000,?,?), ref: 000BB005
_pclose.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000BB01A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BB0DA
_CxxThrowException.VCRUNTIME140(?,00155DA0,?,?), ref: 000BB153

Strings

certutil -hashfile ", xrefs: 000BAEE5

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: fgets$ExceptionFileModuleNameThrow_invalid_parameter_noinfo_noreturn_pclose_popen
String ID: certutil -hashfile "
API String ID: 3145020836-3987956816
Opcode ID: 7f6c4e553a085ba41bc7e0da6a781eab1e2d8f32f927f59b8b8b053d4c570ba1
Instruction ID: 3a3be0deafca895c7ddf2258f18c11f2c6dd5c815a040acc623f120cf5b90bc3
Opcode Fuzzy Hash: 7f6c4e553a085ba41bc7e0da6a781eab1e2d8f32f927f59b8b8b053d4c570ba1
Instruction Fuzzy Hash: E191D171D012589BDB25DB24CC49BEEB7B4EF56304F0442D9E859A7292EBB0ABC48F50

Function 000D2720 Relevance: 10.7, APIs: 5, Strings: 1, Instructions: 168
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000ADEC0: memchr.VCRUNTIME140 ref: 000ADF08
Part of subcall function 000ADEC0: memchr.VCRUNTIME140(00000001,?,?), ref: 000ADF8B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,7096605D,?,00000001), ref: 000D2913

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(00000092,?,7096605D,?,00000001), ref: 000D283E
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(0000004F), ref: 000D2854
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(000000FF), ref: 000D286D
memmove.VCRUNTIME140(?,?,?), ref: 000D28C3

Strings

[~], xrefs: 000D2781, 000D2885

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ??6?$basic_ostream@D@std@@@std@@U?$char_traits@V01@$memchrmemmove$_invalid_parameter_noinfo_noreturn
String ID: [~]
API String ID: 476110309-1003381106
Opcode ID: 3ba4e9b12bc890a1ca296486def743effc5591f2e1bba4223ebaaedf38df40aa
Instruction ID: fdb98f84dba547e751b5ffc9c7d082c24686b1ffd40cc7fc3ca7c641c0e1f55b
Opcode Fuzzy Hash: 3ba4e9b12bc890a1ca296486def743effc5591f2e1bba4223ebaaedf38df40aa
Instruction Fuzzy Hash: 1451BA71E00204EBCF15DFA8D895AEEB7B5EF99300F108229E826AB791D7305D85CB91

Function 000BAC20 Relevance: 10.7, APIs: 4, Strings: 2, Instructions: 159
processCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 000C3770: memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 000C382F
Part of subcall function 000C3770: memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 000C3840

memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BACC1
system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BAD26
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BAD97
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BADD1

Strings

start cmd /C "color b && title Error && echo , xrefs: 000BAC83
&& timeout /t 5", xrefs: 000BACA4

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn$system
String ID: && timeout /t 5"$start cmd /C "color b && title Error && echo
API String ID: 914278256-3357973498
Opcode ID: 6411c0c0a0021fba3c27272c9bbde0eea4dcf5390e7be8bebfaede45ba149c98
Instruction ID: ee1c26d87d4a8b783da177ada1337aa4485a4639eddfff803136d45f37efe95a
Opcode Fuzzy Hash: 6411c0c0a0021fba3c27272c9bbde0eea4dcf5390e7be8bebfaede45ba149c98
Instruction Fuzzy Hash: B7510B71E001489FDB08CF68CC89BEEB775EF45300F148229E516AB692D774EE81DB91

Function 000A2A50 Relevance: 9.2, APIs: 6, Instructions: 155
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,7096605D), ref: 000A2B28
?sputn@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAE_JPBD_J@Z.MSVCP140(?,?,00000000,?,7096605D), ref: 000A2B54
?sputc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHD@Z.MSVCP140(?,?,7096605D), ref: 000A2B7E
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,7096605D), ref: 000A2BE6
?uncaught_exception@std@@YA_NXZ.MSVCP140(?,7096605D), ref: 000A2BEC
?_Osfx@?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEXXZ.MSVCP140(?,7096605D), ref: 000A2BF9

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sputc@?$basic_streambuf@$?setstate@?$basic_ios@?sputn@?$basic_streambuf@?uncaught_exception@std@@Osfx@?$basic_ostream@
String ID:
API String ID: 3901553425-0
Opcode ID: 9624b2bea37a008442501106d7c40803ed832a6be5a302160220eb61d3633f51
Instruction ID: 0a188b7ae8cde5d577d0387ccf19a75e2491dc17919e6d49e0b36adb80e9d184
Opcode Fuzzy Hash: 9624b2bea37a008442501106d7c40803ed832a6be5a302160220eb61d3633f51
Instruction Fuzzy Hash: A7515335A105048FCB24CFACC544F99BBF1FF4A714F2942A8D915AB3A2D731AD41CB60

Function 000F6DB0 Relevance: 9.1, APIs: 6, Instructions: 139
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,00000E08,?,000E4EC8,00000000,?,000B2662,?,?,00000000,00000000,?,?,0000000F,00000000,00000000), ref: 000F6DB8
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000000,00000000), ref: 000F6DEA

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: callocfree
String ID:
API String ID: 306872129-0
Opcode ID: 046f2d11592d4436a0e463d9527d88465606091a358ce793c6bea32a921c6f48
Instruction ID: 74ae740a152fa62acd3c0c08d3173053a05eaa39596c870cab055870932aa54a
Opcode Fuzzy Hash: 046f2d11592d4436a0e463d9527d88465606091a358ce793c6bea32a921c6f48
Instruction Fuzzy Hash: 4E610BB0604B42AEE3599F38D8497D6FAA5BB41328F144318E57C4B2D2C7BA2179CBD1

Function 00130B60 Relevance: 7.0, APIs: 1, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

Part of subcall function 00130760: GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo), ref: 0013078E
Part of subcall function 00130760: GetProcAddress.KERNEL32(00000000), ref: 00130795

Part of subcall function 000FF410: GetModuleHandleA.KERNEL32(kernel32,?,?,security.dll,00130B8D,security.dll,00000004,00000000,00000000,00000002,00000002,000FF626), ref: 000FF41A

GetProcAddress.KERNELBASE(00000000,InitSecurityInterfaceA), ref: 00130B9F

Strings

security.dll, xrefs: 00130B7F, 00130B87
InitSecurityInterfaceA, xrefs: 00130B99
secur32.dll, xrefs: 00130B7A

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: AddressHandleModuleProc
String ID: InitSecurityInterfaceA$secur32.dll$security.dll
API String ID: 1646373207-3788156360
Opcode ID: 7ad929e6e3a00d7683a769d03615b5c2327c29cda4ca1d892507417576e8d065
Instruction ID: 094a6ebd0a9a071325156bccfd05d53a9ddf4bc75f11e15e04d894c8d74a99bd
Opcode Fuzzy Hash: 7ad929e6e3a00d7683a769d03615b5c2327c29cda4ca1d892507417576e8d065
Instruction Fuzzy Hash: 20F0E5B434030267EF259BB86C27B3A71C54BC574DFA840787B06F66D6EBB8CC808A40

Function 000D01F0 Relevance: 6.3, APIs: 4, Instructions: 267COMMON

Download Yara Rule

APIs

FindWindowW.USER32(00000000,?), ref: 000D0355
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 000D0546

Part of subcall function 000CE2F0: GetLastError.KERNEL32(?,00000000,00000000), ref: 000CE3DB

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?), ref: 000D0571
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?), ref: 000D0592

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$ErrorFindLastWindow_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 3421515688-0
Opcode ID: 09d7f0e25440068f40fab42876ea927d0bb325fafe8898c9c2dc38ad860fbb86
Instruction ID: 58db0cbefcc8d9d1a96d7172774ac287a47f9a06b253ea7d4434a7e0a2492f83
Opcode Fuzzy Hash: 09d7f0e25440068f40fab42876ea927d0bb325fafe8898c9c2dc38ad860fbb86
Instruction Fuzzy Hash: E9D1F1B4D04259DBCB18CF98D991AEEBBB1FF49310F20415AD949B7341D7306A85CFA1

Function 000A1390 Relevance: 6.1, APIs: 4, Instructions: 116COMMON

Download Yara Rule

APIs

_beginthreadex.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,Function_00043470,00000000,00000000,?,00000008,?,?,7096605D), ref: 000A1499
_Thrd_detach.MSVCP140(00000000,?), ref: 000A14B6
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000001), ref: 000A14EE
?_Throw_Cpp_error@std@@YAXH@Z.MSVCP140(00000006), ref: 000A14FD

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Cpp_error@std@@Throw_$Thrd_detach_beginthreadex
String ID:
API String ID: 1544947071-0
Opcode ID: e0c83e7486adfd9ec28400f5a3909c590fe387b41868461fd31eb29c606bb190
Instruction ID: 3276315d5c5f170e92730960d7fd48d524b824ef8ebfd6c0c5fa5b3e04b321da
Opcode Fuzzy Hash: e0c83e7486adfd9ec28400f5a3909c590fe387b41868461fd31eb29c606bb190
Instruction Fuzzy Hash: 404166B4E04248DFDB05CFA8D945BEEBBB4FF09300F144229E815BB391EB746A058B64

Function 000E3330 Relevance: 6.1, APIs: 4, Instructions: 69sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000CEAB0: _Query_perf_frequency.MSVCP140 ref: 000CEABE
Part of subcall function 000CEAB0: _Query_perf_counter.MSVCP140 ref: 000CEACA

Sleep.KERNEL32(05265C00,00000000,00000000,?,Function_00054240,00000000,?,?,Function_00054240,00000000,?,?,?), ref: 000E3380
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000E3393
Sleep.KERNEL32(-00000001,00000000,?,Function_00054240,00000000,?,?,Function_00054240,00000000,?,?,?,?,?,?,000E320F), ref: 000E33C4
Sleep.KERNEL32(00000000,00000000,?,Function_00054240,00000000,?,?,Function_00054240,00000000,?,?,?,?,?,?,000E320F), ref: 000E33D8

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Sleep$Query_perf_counterQuery_perf_frequencyUnothrow_t@std@@@__ehfuncinfo$??2@
String ID:
API String ID: 182150864-0
Opcode ID: 3bc39f83053371da1cf298b239eab178a657e5001cec86fc7dcc09f6f10265d3
Instruction ID: dfcdac37bb5a8f73f73c3d4cbf48cb556c6a1573faeba4b6b30bcd986e54289b
Opcode Fuzzy Hash: 3bc39f83053371da1cf298b239eab178a657e5001cec86fc7dcc09f6f10265d3
Instruction Fuzzy Hash: 38116331F04284AFDB14EBBB98CAEAEBB74AB44700F1000A5F601F7253DA71AF444795

Function 000D1E40 Relevance: 1.6, APIs: 1, Instructions: 112COMMON

Download Yara Rule

APIs

KiUserExceptionDispatcher.NTDLL(40010005,00000000,00000000,00000000,?,?,7096605D,?,?), ref: 000D1FA8

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: 29cb2810aefd3467d03d5f0e49bf0f0402d14e57dbce97687190950a8d772bd7
Instruction ID: ccaeca87231968d27572110beaa4273020859a79c4445f5f241f9e14c9680d61
Opcode Fuzzy Hash: 29cb2810aefd3467d03d5f0e49bf0f0402d14e57dbce97687190950a8d772bd7
Instruction Fuzzy Hash: BA51BDB4D042489BCB15CFA8D981ADDBBF5FF08320F245269E819BB350E7716A45CF68

Function 000E34D0 Relevance: 1.5, APIs: 1, Instructions: 34COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140 ref: 000E350C

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: 3bb9349c364b9b9d009b07444c1ef965bc787ed6b4d464288fbc31b7efe68ec3
Instruction ID: 80421ebd93028b3cd5838502f3db9ca3a6c833e36908263fd4a043da37ad48d1
Opcode Fuzzy Hash: 3bb9349c364b9b9d009b07444c1ef965bc787ed6b4d464288fbc31b7efe68ec3
Instruction Fuzzy Hash: CDF08C71900109DFCB04DFA8DC46BAABBB8FB08710F10462AE815E7691EB35AA04CB50

Function 000E3470 Relevance: 1.5, APIs: 1, Instructions: 31COMMON

Download Yara Rule

APIs

_Cnd_do_broadcast_at_thread_exit.MSVCP140(?,?,Function_0009D160,000000FF), ref: 000E349D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Cnd_do_broadcast_at_thread_exit
String ID:
API String ID: 2632783013-0
Opcode ID: f25ea545a92ded8f9374c8e9f7b5b8eff4f5f286ee3e1dce44b11ecc9dcaf4d8
Instruction ID: af564655ead7248dfa57bf2f8e3c0bf7ae800df3a44031a327f551e38e91c805
Opcode Fuzzy Hash: f25ea545a92ded8f9374c8e9f7b5b8eff4f5f286ee3e1dce44b11ecc9dcaf4d8
Instruction Fuzzy Hash: C4F08276A44A54EFC321DF59DC05F96B7E8FB09B20F00862AED15E3780DB35AD0086D0

Function 000D0D10 Relevance: 1.3, APIs: 1, Instructions: 81COMMON

Download Yara Rule

APIs

CloseHandle.KERNELBASE(DEADBEEF,?,?,7096605D,?,?), ref: 000D0DF7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: CloseHandle
String ID:
API String ID: 2962429428-0
Opcode ID: 5402949dd97d3c41d01142e8d2d9fd05cbc3a26511d47966e7214bbae320d02e
Instruction ID: dfc8a1a5ed4f8136e08d864a5d5850974043f797a48e4a0b8693bd8ff8f70fb6
Opcode Fuzzy Hash: 5402949dd97d3c41d01142e8d2d9fd05cbc3a26511d47966e7214bbae320d02e
Instruction Fuzzy Hash: F631FEB5D04248DBCB10CFA8D981ADEBBF4FB09324F24426AE855B7350E7316A45CFA4

Function 000D0F9A Relevance: 1.3, APIs: 1, Instructions: 24COMMON

Download Yara Rule

APIs

VirtualFree.KERNELBASE(?,00000000,00008000), ref: 000D0FAB

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: FreeVirtual
String ID:
API String ID: 1263568516-0
Opcode ID: a2e8f8d981453a4f5e72b0a13035794c379cd9a055c59aa69d457266fc09102e
Instruction ID: e038e7496cfc047ce75f0102ca43ad97a44f599634faf4b061423f4392ebe703
Opcode Fuzzy Hash: a2e8f8d981453a4f5e72b0a13035794c379cd9a055c59aa69d457266fc09102e
Instruction Fuzzy Hash: D8E06575E08348CFDB14CF94D4567EDF770EB48720F20825AED222B381C73519058BA0

Non-executed Functions

Function 000BB822 Relevance: 67.5, APIs: 19, Strings: 19, Instructions: 1004COMMON

Download Yara Rule

APIs

memchr.VCRUNTIME140(?,0000003D,?), ref: 000BB847
memchr.VCRUNTIME140(?,0000003D,?), ref: 000BB946

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(sessionid,00000009,?,?), ref: 000BBB56
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(ownerid), ref: 000BBBDB

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(app), ref: 000BBC60
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(name), ref: 000BBCE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(key), ref: 000BBD6A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(username), ref: 000BBDEF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(password), ref: 000BBE74
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(contents), ref: 000BBEF9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(secret), ref: 000BBF7E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(version), ref: 000BC003
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(fileid), ref: 000BC088
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(webhooks), ref: 000BC10D
GetModuleFileNameW.KERNEL32(00000000,?,00000104,?,00000007,sessionid,00000009,?), ref: 000BC153
PathFindFileNameW.SHLWAPI(?), ref: 000BC160
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,00000007,?,00000006,?,00000008), ref: 000BC36F

Strings

app, xrefs: 000BBBFA
=u, xrefs: 000BC22E
Pn., xrefs: 000BC12C
username, xrefs: 000BBD89
/, xrefs: 000BC67F
name, xrefs: 000BBC7F
ownerid, xrefs: 000BBB75
password, xrefs: 000BBE0E
\Debug, xrefs: 000BC3B8, 000BC56A, 000BC5C8
fileid, xrefs: 000BC022
\KeyAuth, xrefs: 000BC21A
\Debug\, xrefs: 000BC2BD
version, xrefs: 000BBF9D
secret, xrefs: 000BBF18
webhooks, xrefs: 000BC0A7
contents, xrefs: 000BBE93
key, xrefs: 000BBD04
sessionid, xrefs: 000BBAF0
H\, xrefs: 000BC1E3

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$FileNamememchr$FindModulePathmallocmemmove
String ID: /$Pn.$\Debug$\Debug\$\KeyAuth$app$contents$fileid$key$name$ownerid$password$secret$sessionid$username$version$webhooks$=u$H\
API String ID: 3080763380-2137530013
Opcode ID: 185cd6026432e4e63d12ecbc82c21cbdba11e4d863a1316eb2dead29c40072a4
Instruction ID: 138d80087e13b44dcb71eb4b52eb3f5f3bddda134bf68590e9514ba911bbd3d4
Opcode Fuzzy Hash: 185cd6026432e4e63d12ecbc82c21cbdba11e4d863a1316eb2dead29c40072a4
Instruction Fuzzy Hash: 96A26A30D012688BDB69DB24CC99BEDB7B4AF56300F2482D9E449A7292EB745FC4CF50

Function 000AE840 Relevance: 56.4, APIs: 28, Strings: 4, Instructions: 410injectionmemorysleepCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,00030000,00003000,00000004,?,?,00000000), ref: 000AE89A
VirtualProtectEx.KERNEL32(?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004,?,?,00000000), ref: 000AE8B9
WriteProcessMemory.KERNEL32(?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004,?), ref: 000AE8FF
WriteProcessMemory.KERNEL32(?,?,?,?,00000000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 000AE93D
VirtualAllocEx.KERNEL32(?,00000000,0000001C,00003000,00000004,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 000AE969
WriteProcessMemory.KERNEL32(?,00000000,?,0000001C,00000000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 000AE982
VirtualAllocEx.KERNEL32(?,00000000,00001000,00003000,00000040,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 000AE99F
WriteProcessMemory.KERNEL32(?,00000000,000AED10,00001000,00000000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 000AE9BC
CreateRemoteThread.KERNEL32(?,00000000,00000000,00000000,00000000,00000000,00000000), ref: 000AE9D5
CloseHandle.KERNEL32(00000000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004), ref: 000AE9E4
GetExitCodeProcess.KERNEL32(?,?), ref: 000AEA0C
ReadProcessMemory.KERNEL32(?,?,?,0000001C,00000000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?), ref: 000AEA3A
Sleep.KERNEL32(0000000A,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004), ref: 000AEA51
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(01400000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000,00030000,00003000,00000004), ref: 000AEA5F
memset.VCRUNTIME140(00000000,00000000,01400000,00000000), ref: 000AEA7D
WriteProcessMemory.KERNEL32(?,?,00000000,00001000,00000000,?,?,?,00000000), ref: 000AEA93
WriteProcessMemory.KERNEL32(?,?,00000103,00000000,00000000,?,?,?,00000000), ref: 000AEB6A
VirtualProtectEx.KERNEL32(?,?,?,00000002,00000000,?,?,?,00000000), ref: 000AEBE0
VirtualProtectEx.KERNEL32(?,?,?,00000002,?,?,?,?,00000000), ref: 000AEC0E
WriteProcessMemory.KERNEL32(?,?,00000103,00001000,00000000,?,?,?,00000000), ref: 000AEC23
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00000000), ref: 000AEC38
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,?,00000000), ref: 000AEC45
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 000AEC6E
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 000AEC7B
VirtualFreeEx.KERNEL32(?,00000000,00000000,00008000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 000AEC89
VirtualFreeEx.KERNEL32(?,?,00000000,00008000,?,?,0017A688,00001000,00000000,?,00000000,00030000,00000040,?,?,00000000), ref: 000AECEC

Strings

.pdata, xrefs: 000AEACA
@@@, xrefs: 000AEA43
.rsrc, xrefs: 000AEAFA
.reloc, xrefs: 000AEB2A

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Virtual$Process$Memory$Write$Free$AllocProtect$CloseCodeCreateExitHandleReadRemoteSleepThreadmallocmemset
String ID: .pdata$.reloc$.rsrc$@@@
API String ID: 2738092353-1643141565
Opcode ID: 8c587beaa0378bcb999a619487a48aeb56aa4a0e4c5692a0a6be6bca209517c3
Instruction ID: a2b00cb2c36befd7d070cf7fec71cc542ba6bfef2165a0f52ef191882aa9387d
Opcode Fuzzy Hash: 8c587beaa0378bcb999a619487a48aeb56aa4a0e4c5692a0a6be6bca209517c3
Instruction Fuzzy Hash: F5E1B271A40254BBDB208BE4CC45FAEBBF9BF46B00F144058FA45BB291D771A885CB64

Function 000F4240 Relevance: 52.9, APIs: 23, Strings: 7, Instructions: 389stringCOMMON

Download Yara Rule

APIs

strncmp.API-MS-WIN-CRT-STRING-L1-1-0(?,sha256//,00000008), ref: 000F429E
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000020), ref: 000F42C8
__vfprintf_l.LIBCMT ref: 000F42FC
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000F4307

Strings

public key hash: sha256//%s, xrefs: 000F4322
-----END PUBLIC KEY-----, xrefs: 000F459A
;sha256//, xrefs: 000F4360
-----BEGIN PUBLIC KEY-----, xrefs: 000F456D
Z, xrefs: 000F4697
Z, xrefs: 000F4268
sha256//, xrefs: 000F4298, 000F43E7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __vfprintf_lfreemallocstrncmp
String ID: -----END PUBLIC KEY-----$ public key hash: sha256//%s$-----BEGIN PUBLIC KEY-----$;sha256//$Z$Z$sha256//
API String ID: 2211953100-1456817947
Opcode ID: a14bd72a82c0bc5356be1d7caa288c483730a5a27236e98ae195fdb185c87123
Instruction ID: 8e9f62007a0d5b5f5b939a8ff0858a159de0f2c878ab23d580c0b0fd2ecc20fc
Opcode Fuzzy Hash: a14bd72a82c0bc5356be1d7caa288c483730a5a27236e98ae195fdb185c87123
Instruction Fuzzy Hash: 56C198321047449FCB20AF28DC4477B7BE2AF82324F480658FED58BA92E376DD469752

Function 000C6AD0 Relevance: 45.2, APIs: 19, Strings: 6, Instructions: 1414COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0(?,?,?,00000000), ref: 000C6E52
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000), ref: 000C7231
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,?,00000000), ref: 000C7247
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000C72C0
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 000C73A3
__std_exception_destroy.VCRUNTIME140(?), ref: 000C73B9
?_Xbad_function_call@std@@YAXXZ.MSVCP140(?,?,?,?,?,?,?,?,00000000), ref: 000C7412
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000), ref: 000C7591
__std_exception_destroy.VCRUNTIME140(?,?,?,?,?,?,?,?,00000000), ref: 000C75A7
__std_exception_destroy.VCRUNTIME140(?,?,?,00000000), ref: 000C7720
__std_exception_destroy.VCRUNTIME140(?,?,?,00000000), ref: 000C7E89
__std_exception_destroy.VCRUNTIME140(?), ref: 000C7E9F

Strings

value, xrefs: 000C7DB8
object key, xrefs: 000C72D2, 000C7ADB
object, xrefs: 000C77CD
array, xrefs: 000C7649
number overflow parsing ', xrefs: 000C7428
object separator, xrefs: 000C7157, 000C7957

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$Xbad_function_call@std@@_dclass_invalid_parameter_noinfo_noreturn
String ID: array$number overflow parsing '$object$object key$object separator$value
API String ID: 2454285746-2528100155
Opcode ID: be6397570f82ed879736ea978630e9135650d1c1181a87ab006c2368be07cdfc
Instruction ID: 1f621d92e0d98c9d321be9ca7f9dccfaa9ff1f058b9da8de0142e3555022c14d
Opcode Fuzzy Hash: be6397570f82ed879736ea978630e9135650d1c1181a87ab006c2368be07cdfc
Instruction Fuzzy Hash: 04C2C271D002188FDB29CB68CC95FEEBBB5AF45300F1442ADE40AE7652D774AA85CF91

Function 000B58B0 Relevance: 39.6, APIs: 18, Strings: 4, Instructions: 1085COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,D7C8C78D,?,00000001,7096605D,00000000,00000000), ref: 000B5AD6

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

Part of subcall function 000BAC20: memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BACC1
Part of subcall function 000BAC20: system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BAD26

memmove.VCRUNTIME140(?,000E042A,0013DAF9,?,00000000,?,D7C8C78D,?,00000001,7096605D,00000000,00000000), ref: 000B5B33

Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 000AE08E
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 000AE09C

Part of subcall function 000BF790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,000B24D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 000BF7CF

memmove.VCRUNTIME140(00000000,?,?,00000000), ref: 000B5C03
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,00000000), ref: 000B5FE5
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,DDDEC9C6,?,00000001), ref: 000B613A
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,00000000,DDDEC9C6,?,00000001), ref: 000B6173
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 000B6195
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 000B61B8
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 000B61F2

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_0000F740), ref: 000B62A0
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(CBDDD5DF,00000002,00000000), ref: 000B62BD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 000B62E2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 000B639D

Part of subcall function 000C3770: memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 000C382F
Part of subcall function 000C3770: memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 000C3840

Part of subcall function 000BAC20: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BAD97
Part of subcall function 000BAC20: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BADD1

Part of subcall function 000C1600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,001A60AC), ref: 000C17BF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(CDCED9D8,?,00000001,00000000,?,message,success,?), ref: 000B65AB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,message,success,?), ref: 000B66F3
??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(CDCED9D8,?,00000001,00000000,?,message,success,?), ref: 000B6769
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000B6775

Part of subcall function 000E3F3B: _callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F43
Part of subcall function 000E3F3B: _CxxThrowException.VCRUNTIME140(?,00155CAC,?), ref: 000E4ABF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000B688E

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 000B63E4
success, xrefs: 000B6412
message, xrefs: 000B6428
You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 000B591E

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmove$U?$char_traits@$D@std@@@std@@$??6?$basic_ostream@V01@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?setw@std@@D@std@@@1@@ExceptionJ@1@_Smanip@_ThrowU?$_V21@@V?$basic_streambuf@Vios_base@1@_callnewhmallocmemsetsystem
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions$message$success
API String ID: 3384273977-4017831015
Opcode ID: 5a111758dc91383b9bcc0de89ccbea22ac7aa87b49edbf60b175be87c34e7942
Instruction ID: a4f85719faf3ae5de1f6e7049c128c5e905e8ddb3727593440c9f01a5916f5f2
Opcode Fuzzy Hash: 5a111758dc91383b9bcc0de89ccbea22ac7aa87b49edbf60b175be87c34e7942
Instruction Fuzzy Hash: D4A2AD70D006988FDB25DB64CC89BEDBBB1AF46304F1482D8E049AB292DB759E84CF51

Function 000B8FA0 Relevance: 38.1, APIs: 17, Strings: 4, Instructions: 1356COMMON

Download Yara Rule

APIs

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

Part of subcall function 000BAC20: memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BACC1
Part of subcall function 000BAC20: system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BAD26

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,CCC8DB8D,?,00000001,?,?,?,7096605D,?,001A6E10), ref: 000B9242

Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 000AE08E
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 000AE09C

Part of subcall function 000B4C10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,C0DAC38D,C0DAC396,?,7096605D,?,00000000,?,?,?,?,?,?,C0DAC38D), ref: 000B4CFC

Part of subcall function 000BF790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,000B24D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 000BF7CF

memmove.VCRUNTIME140(?,?,?,?,00000000,?,CCC8DB8D,?,00000001,?,?,?,7096605D,?,001A6E10), ref: 000B9297
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,C0C2CF8D,?,?,?,?,00000001,?,?,?,7096605D,?,001A6E10), ref: 000B9462
memmove.VCRUNTIME140(00000000,?,?,?,00000000,00000000,C0C2CF8D,?,?,?,?,00000001,?,?,?,7096605D), ref: 000B94BF
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,00000001,?,?,?,7096605D,?,001A6E10), ref: 000B99D2
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,00000000,DDDEC9C6,?,00000001), ref: 000B9B49
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,00000000,DDDEC9C6,?,00000001), ref: 000B9B82
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 000B9BA4
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 000B9BC8
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 000B9C02
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_0000F740), ref: 000B9CC0
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(CBDDD5DF,00000002,00000000), ref: 000B9CDD
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 000B9D02
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 000B9DAB

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000100,00000100,00000018,00000000,00000000,?,message,success,?), ref: 000BA265
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BA271
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BA427

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 000B9DEE
success, xrefs: 000B9E1D
message, xrefs: 000B9E39
You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 000B901D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@_invalid_parameter_noinfo_noreturnmemmove$??6?$basic_ostream@V01@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?setw@std@@D@std@@@1@@J@1@_Smanip@_U?$_V21@@V?$basic_streambuf@Vios_base@1@mallocmemsetsystem
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions$message$success
API String ID: 1312736169-4017831015
Opcode ID: 66d2bec92ba747228e4cda265f6185a84a5b1063a5857d0a9edf759646430fb2
Instruction ID: be955a54505ee1a5e578ee116e968d0b95d84f3f6bedb13c88caf2d82e06efd3
Opcode Fuzzy Hash: 66d2bec92ba747228e4cda265f6185a84a5b1063a5857d0a9edf759646430fb2
Instruction Fuzzy Hash: 09D29071D002588FDB15DB28CC88BEDBBB1AF46304F1482D9E549AB292DB749EC4DF91

Function 000B68D0 Relevance: 34.1, APIs: 15, Strings: 4, Instructions: 827COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,0013DC34,001A6E10), ref: 000B6A4B

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

Part of subcall function 000BAC20: memmove.VCRUNTIME140(?, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BACC1
Part of subcall function 000BAC20: system.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000011,00000000, && timeout /t 5",00000011,?,0013E2C8,start cmd /C "color b && title Error && echo ,0000002D,?,0013E2C8,7096605D,00000000), ref: 000BAD26

Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 000AE08E
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 000AE09C

Part of subcall function 000B4C10: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,C0DAC38D,C0DAC396,?,7096605D,?,00000000,?,?,?,?,?,?,C0DAC38D), ref: 000B4CFC

Part of subcall function 000BF790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,000B24D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 000BF7CF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,0013DC34,001A6E10), ref: 000B6D98
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,DDDEC9C6,?,00000001), ref: 000B6F06
memset.VCRUNTIME140(?,00000000,000000B0,00000000,?,?,DDDEC9C6,?,00000001), ref: 000B6F3F
??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(DDDEC9C6,?,00000001), ref: 000B6F61
??0?$basic_iostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@@Z.MSVCP140(?,00000000), ref: 000B6F84
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(?,?,?,?,00000001), ref: 000B6FBE
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@P6AAAVios_base@1@AAV21@@Z@Z.MSVCP140(Function_0000F740), ref: 000B7073
?setw@std@@YA?AU?$_Smanip@_J@1@_J@Z.MSVCP140(DDC8DF8D,00000002,00000000), ref: 000B7090
??6?$basic_ostream@DU?$char_traits@D@std@@@std@@QAEAAV01@H@Z.MSVCP140(?), ref: 000B70B8
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?), ref: 000B717F

Part of subcall function 000C1260: memmove.VCRUNTIME140(?,?,000BAFF8,00000000,?,?,000BAFF8,?,?), ref: 000C128D

??1?$basic_iostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(00000000,?,message,success,?), ref: 000B72CD
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000B72D9
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000B73B3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,?,?,7096605D), ref: 000B74BA

Strings

Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: , xrefs: 000B71C6
success, xrefs: 000B71F4
message, xrefs: 000B720A
You need to run the KeyAuthApp.init(); function before any other KeyAuth functions, xrefs: 000B693E

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@memmove$_invalid_parameter_noinfo_noreturn$??6?$basic_ostream@V01@$??0?$basic_ios@??0?$basic_iostream@??0?$basic_streambuf@??1?$basic_ios@??1?$basic_iostream@?setw@std@@D@std@@@1@@J@1@_Smanip@_U?$_V21@@V?$basic_streambuf@Vios_base@1@memsetsystem
String ID: Signature checksum failed. Request was tampered with or session ended most likely. & echo: & echo Message: $You need to run the KeyAuthApp.init(); function before any other KeyAuth functions$message$success
API String ID: 2154783015-4017831015
Opcode ID: cb8a2dfe89c2118d7d8876a896c9fa12b831fdac8760c8dab67aa90a810884cb
Instruction ID: 24486231374e20f31ef9aac755d2fa38ec66932d61e39ddd12e781a542f0fc8b
Opcode Fuzzy Hash: cb8a2dfe89c2118d7d8876a896c9fa12b831fdac8760c8dab67aa90a810884cb
Instruction Fuzzy Hash: E372C070D002588FDB15DF68CC89BEDBBB1AF46304F144299E449AB292DB75AF84CF91

Function 000C7FA0 Relevance: 32.4, APIs: 13, Strings: 5, Instructions: 933COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140(?,?,?,00000000), ref: 000C94AB
__std_exception_destroy.VCRUNTIME140(?), ref: 000C94C1

Strings

value, xrefs: 000C93DA
object key, xrefs: 000C8931, 000C9112
object, xrefs: 000C8DF8
array, xrefs: 000C8C6E
object separator, xrefs: 000C8F88

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy
String ID: array$object$object key$object separator$value
API String ID: 2453523683-2448007618
Opcode ID: bebee995943c73d959cbb8445f721100a4f980ea15838d8ddd07b7c1148ed74d
Instruction ID: 0df4a3d3f5a07f5e3546c717d5594d3bff5afe8ee03c94200b9329cef4396cdb
Opcode Fuzzy Hash: bebee995943c73d959cbb8445f721100a4f980ea15838d8ddd07b7c1148ed74d
Instruction Fuzzy Hash: 9982D671D002588FDB18CB68CC98BEDBBB5BF45300F14829DE549AB792DB709E84CB95

Function 000D3930 Relevance: 31.7, APIs: 13, Strings: 4, Instructions: 1934memoryCOMMON

Download Yara Rule

APIs

VirtualAlloc.KERNEL32(00000000,00021200,00003000,00000004,7096605D), ref: 000D398A
VirtualAllocEx.KERNEL32(?,00000000,00025000,00003000,00000040), ref: 000D3BC0

Strings

Eof, xrefs: 000D3F75
,,(>}W^, xrefs: 000D47FD
e4'3, xrefs: 000D4765
;6>>}W^, xrefs: 000D4BC3

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: AllocVirtual
String ID: ,,(>}W^$;6>>}W^$Eof$e4'3
API String ID: 4275171209-2422216670
Opcode ID: 001523310af7a0c9a32f4fc63965f9bc16294a540e99514bc75175e708a33894
Instruction ID: 0a7ee0602063325d9a96878dfbbdc8dfc2821a70dd9e38194421bc157570aae3
Opcode Fuzzy Hash: 001523310af7a0c9a32f4fc63965f9bc16294a540e99514bc75175e708a33894
Instruction Fuzzy Hash: BD031135E157548FDB16CF38C850AA8F7B1BF6A344F15C35AE8417B762EB31A9828B40

Function 000D2950 Relevance: 26.8, APIs: 14, Strings: 1, Instructions: 555serviceCOMMON

Download Yara Rule

APIs

OpenSCManagerW.ADVAPI32(00000000,00000000,000F003F,?,00000001), ref: 000D2983
GetLastError.KERNEL32 ref: 000D2994

Part of subcall function 000CE970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000CE979

OpenServiceW.ADVAPI32(00000000,00000000,00000024), ref: 000D2B49
CloseServiceHandle.ADVAPI32(?), ref: 000D2B5E

Strings

VI@, xrefs: 000D29E9

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: OpenService$CloseErrorHandleLastManager__acrt_iob_func
String ID: VI@
API String ID: 1605991056-509713428
Opcode ID: e5f99c010d19f7767aafa6598ea8bd960aab4512e7904792953119a9ef7259b6
Instruction ID: 9f5c3fb92ca756503f41125ee8dbb7b80b17f6f6aeb10fda574ba18da03116c5
Opcode Fuzzy Hash: e5f99c010d19f7767aafa6598ea8bd960aab4512e7904792953119a9ef7259b6
Instruction Fuzzy Hash: D252A2B4E06258EFDB14CF98E990ADDBBB2FF49310F245199E849AB351D7306A85CF40

Function 000D3360 Relevance: 26.4, APIs: 11, Strings: 4, Instructions: 163injectionthreadmemoryCOMMON

Download Yara Rule

APIs

VirtualAllocEx.KERNEL32(?,00000000,00000014,00003000,00000040), ref: 000D3386

Part of subcall function 000D3550: Thread32First.KERNEL32(00000000,0000001C), ref: 000D3613
Part of subcall function 000D3550: Thread32Next.KERNEL32(00000000,0000001C), ref: 000D3640

OpenThread.KERNEL32(001FFFFF,00000000,00000000,?,00000000,00000014,00003000,00000040), ref: 000D33A7
SuspendThread.KERNEL32(00000000,?,00000000,00000014,00003000,00000040), ref: 000D33BE
GetThreadContext.KERNEL32(00000000,?,?,00000000,00000014,00003000,00000040), ref: 000D33D6
WriteProcessMemory.KERNEL32(?,00000000,00006660,00000003,00000000,?,00000000,00000014,00003000,00000040), ref: 000D3431
WriteProcessMemory.KERNEL32(?,00000003,00000068,00000005,00000000,?,00000000,00006660,00000003,00000000,?,00000000,00000014,00003000,00000040), ref: 000D3440
WriteProcessMemory.KERNEL32(?,00000008,000000E8,00000005,00000000,?,00000003,00000068,00000005,00000000,?,00000000,00006660,00000003,00000000), ref: 000D344F
WriteProcessMemory.KERNEL32(?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005,00000000,?,00000003,00000068,00000005,00000000), ref: 000D345E
WriteProcessMemory.KERNEL32(?,00000010,000000E9,00000005,00000000,?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005,00000000), ref: 000D346D
SetThreadContext.KERNEL32(?,0001003F,?,00000010,000000E9,00000005,00000000,?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005), ref: 000D347D
ResumeThread.KERNEL32(?,?,00000010,000000E9,00000005,00000000,?,0000000D,fa`f,00000003,00000000,?,00000008,000000E8,00000005,00000000), ref: 000D3484

Strings

h, xrefs: 000D3418
fa`f, xrefs: 000D3455, 000D3458
`f, xrefs: 000D340E
?, xrefs: 000D33CA

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: MemoryProcessThreadWrite$ContextThread32$AllocFirstNextOpenResumeSuspendVirtual
String ID: ?$`f$fa`f$h
API String ID: 3168608564-1748709450
Opcode ID: b2c2033a9d420a60f6170c9dc462c1e77909b9201188925ddb32c5b3986b7711
Instruction ID: 890bce446431af951b8a3bbeedd5d4aa5e3607224dc3fbf92daac7775e9ac221
Opcode Fuzzy Hash: b2c2033a9d420a60f6170c9dc462c1e77909b9201188925ddb32c5b3986b7711
Instruction Fuzzy Hash: 5E51B235A402199FDB25CF64CC84FBEBBB8EF49700F1441AAE504AB291D731AE45CFA1

Function 000A4350 Relevance: 24.8, APIs: 11, Strings: 3, Instructions: 320COMMON

Download Yara Rule

APIs

GetCurrentProcess.KERNEL32(00000008,?,00000000,001A6E10), ref: 000A4388
OpenProcessToken.ADVAPI32(00000000), ref: 000A438F
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?), ref: 000A44D4
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000A44D9
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,00000000), ref: 000A44F2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000A4500
ConvertSidToStringSidA.ADVAPI32(?,?), ref: 000A4637
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000A4646
LocalFree.KERNEL32(00000000,00000000,?), ref: 000A479F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000A47A6
CloseHandle.KERNEL32(00000000), ref: 000A47B2

Strings

,, xrefs: 000A467A
oqD\, xrefs: 000A4656
,, xrefs: 000A466C

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Tokenfree$InformationProcess$CloseConvertCurrentFreeHandleLocalOpenStringmalloc
String ID: ,$ ,$oqD\
API String ID: 753083310-193674564
Opcode ID: e244c0ac79f6cc09f86dd511c3e273364a497617c02f69d8cdb5c9096ea41fa9
Instruction ID: 11ce55144809e274385c628bb3aa50341ef4c70b913b30b6a1c4249f382af2af
Opcode Fuzzy Hash: e244c0ac79f6cc09f86dd511c3e273364a497617c02f69d8cdb5c9096ea41fa9
Instruction Fuzzy Hash: F0F1CEB8D052589FDB14CFA8E985AEDBBB1FF49304F244219E949B7311E7712A82CF44

Function 000A8060 Relevance: 24.3, APIs: 6, Strings: 6, Instructions: 3286COMMON

Download Yara Rule

APIs

Part of subcall function 000E5030: AcquireSRWLockExclusive.KERNEL32(001A6C18,000ABB06), ref: 000E5035
Part of subcall function 000E5030: ReleaseSRWLockExclusive.KERNEL32(001A6C18), ref: 000E5075

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000ABB32
GetUserNameA.ADVAPI32(?,?), ref: 000ABBAC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,7096605D,?), ref: 000AC8F1

Part of subcall function 000A4350: GetCurrentProcess.KERNEL32(00000008,?,00000000,001A6E10), ref: 000A4388
Part of subcall function 000A4350: OpenProcessToken.ADVAPI32(00000000), ref: 000A438F

Part of subcall function 000AD9C0: memmove.VCRUNTIME140(?,?,?), ref: 000ADA06

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,7096605D,?), ref: 000ACE41
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000AD1C7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 000AD32A

Strings

_Vf=, xrefs: 000AC92C
_Vf=, xrefs: 000ACB47
|3, xrefs: 000AD22D
et*|, xrefs: 000AD095
7<,{, xrefs: 000AABBF
oqD\, xrefs: 000ABBFC

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$ExclusiveLockProcess$AcquireCurrentNameOpenReleaseTokenUsermemmove
String ID: 7<,{$_Vf=$_Vf=$et*|$oqD\$|3
API String ID: 1999400758-2244986176
Opcode ID: 08dc8821e9ed15ee5663f95ceee9f85c3be74675c5ca39f34446b8213a536847
Instruction ID: 927de82b91e617865df2bdea7d22cb51a377f1e47e2f50d25b009710c74811a2
Opcode Fuzzy Hash: 08dc8821e9ed15ee5663f95ceee9f85c3be74675c5ca39f34446b8213a536847
Instruction Fuzzy Hash: 8CA377B4D056688BDBA5CF18DD807E9BBB5AF89314F1041DA9A4DB7342DB302EC18F58

Function 000A4800 Relevance: 20.4, APIs: 6, Strings: 4, Instructions: 2880registryCOMMON

Download Yara Rule

APIs

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

RegOpenKeyExA.ADVAPI32(80000001,?,00000000,000F003F,00000000,00000000), ref: 000A4A04
memchr.VCRUNTIME140(?,00000049,?,?,?,?,?,?,?,F964096D), ref: 000A7779
memchr.VCRUNTIME140(00000001,00000049,?,?,?,?,?,?,?,?,?,?,F964096D), ref: 000A77F2
RegCreateKeyExA.ADVAPI32(80000001,?,00000000,00000000,00000000,000F003F,00000000,00000000,00000000), ref: 000A4A2A

Part of subcall function 000AD9C0: memmove.VCRUNTIME140(?,?,?), ref: 000ADA06

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000A802F

Part of subcall function 000ADEC0: memchr.VCRUNTIME140 ref: 000ADF08
Part of subcall function 000ADEC0: memchr.VCRUNTIME140(00000001,?,?), ref: 000ADF8B

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000A7F66

Strings

et*|, xrefs: 000A7E73
7<,{, xrefs: 000A6A3F
engine, xrefs: 000A7F30
IP_PLACEHOLDER, xrefs: 000A7792

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memchr$_invalid_parameter_noinfo_noreturn$CreateOpenmallocmemmove
String ID: 7<,{$IP_PLACEHOLDER$engine$et*|
API String ID: 4066840904-1141489582
Opcode ID: 2f831308b94fcbb8841de9305ab189c015c614b4efb3bed90bfcc7db0782d255
Instruction ID: eef79026269d7f0940e25ae2da1f631cd22fae16ec901cc9c1b56b2bc4645f8d
Opcode Fuzzy Hash: 2f831308b94fcbb8841de9305ab189c015c614b4efb3bed90bfcc7db0782d255
Instruction Fuzzy Hash: 7D8378B8D053688BDB65CFA8D9816DCBBF1BF4A314F204199D94DAB351DB306A81CF44

Function 000E3BEB Relevance: 16.7, APIs: 11, Instructions: 200fileCOMMON

Download Yara Rule

APIs

GetFileAttributesExW.KERNEL32(?,00000000,?,?), ref: 000E3C83
GetLastError.KERNEL32 ref: 000E3C8D
FindFirstFileW.KERNEL32(?,?), ref: 000E3CA4
GetLastError.KERNEL32 ref: 000E3CAF
FindClose.KERNEL32(00000000), ref: 000E3CBB
___std_fs_open_handle@16.LIBCPMT ref: 000E3D74
___std_fs_close_handle@4.MSVCPRT ref: 000E3E3B

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorFileFindLast$AttributesCloseFirst___std_fs_close_handle@4___std_fs_open_handle@16
String ID:
API String ID: 3584187540-0
Opcode ID: 80eea6e206f9ee5602c81c4759fc94654ae0138fd22bf344c277bec429b68b25
Instruction ID: 830dc6c1faa245455f74fc933a5c554fd572e37ea61e0ccf379236ab143e95f4
Opcode Fuzzy Hash: 80eea6e206f9ee5602c81c4759fc94654ae0138fd22bf344c277bec429b68b25
Instruction Fuzzy Hash: B2718074A00659AFCB64CF2ADC897AABBF8BF05320F144255E855F3390DB30AE85CB51

Function 000C81D6 Relevance: 14.4, APIs: 6, Strings: 2, Instructions: 429COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 000C81E4
__std_exception_destroy.VCRUNTIME140 ref: 000C8BAC
__std_exception_destroy.VCRUNTIME140(?), ref: 000C8BC2

Strings

object key, xrefs: 000C8931
number overflow parsing ', xrefs: 000C8A6D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$_dclass
String ID: number overflow parsing '$object key
API String ID: 1615805995-1994755323
Opcode ID: db3cd5957051b0794a1a4ebdc53acab135f3c69211160d519dae1ab869e2dc6d
Instruction ID: 019b6f4abc522423f2efea0462b5a60219f2f6867783b1230c91a2ab538709fa
Opcode Fuzzy Hash: db3cd5957051b0794a1a4ebdc53acab135f3c69211160d519dae1ab869e2dc6d
Instruction Fuzzy Hash: F702F571D006598FDB18CF64CC88BEDF7B1BF49300F14829DE509AB642DB74AA84CB94

Function 000D05B0 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 204COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000100,?,?,?,?), ref: 000D07B5
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,00000003,00000001,00000003,00000020,00000003,?,?,?), ref: 000D07DA
VerSetConditionMask.KERNEL32(00000000), ref: 000D07DE
VerSetConditionMask.KERNEL32(00000000), ref: 000D07E2
VerifyVersionInfoW.KERNEL32(0000011C,00000023,00000000), ref: 000D0809
GetLastError.KERNEL32 ref: 000D0828
GetLastError.KERNEL32 ref: 000D08E6

Strings

print, xrefs: 000D08CA

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$ErrorLast$InfoVerifyVersionmemset
String ID: print
API String ID: 844649642-366378086
Opcode ID: aa067c150bf29671c5c1823f284c097abec276513cf09e920ec4217687923245
Instruction ID: 02e91110ea2a22efb1be283f277deacf19c16375d18df52796f8e88536514681
Opcode Fuzzy Hash: aa067c150bf29671c5c1823f284c097abec276513cf09e920ec4217687923245
Instruction Fuzzy Hash: DEA1E174A042289BDB25CF28CC95BDABBB4AF49300F0441DAD949AB351DB30AF85CF80

Function 0010CB30 Relevance: 10.2, Strings: 8, Instructions: 222COMMON

Download Yara Rule

Strings

%4lldG, xrefs: 0010CD3D
%5lld, xrefs: 0010CB50
%4lldM, xrefs: 0010CC6C
%2lld.%0lldG, xrefs: 0010CD0D
%4lldk, xrefs: 0010CB82
%2lld.%0lldM, xrefs: 0010CC3A
%4lldP, xrefs: 0010CD64
%4lldT, xrefs: 0010CD57

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: %2lld.%0lldG$%2lld.%0lldM$%4lldG$%4lldM$%4lldP$%4lldT$%4lldk$%5lld
API String ID: 0-3476178709
Opcode ID: ed37bd5e111c99bf923949c4c167c19c9698edf9fc846ebaa69f0dc903288d1e
Instruction ID: 18d72bb02d77751073638250c5d005fee9d23d57fa227f54767d6bb9b314b6ec
Opcode Fuzzy Hash: ed37bd5e111c99bf923949c4c167c19c9698edf9fc846ebaa69f0dc903288d1e
Instruction Fuzzy Hash: 715135B27043052BE7089A6CDD92B7B72C5E798754F88063CB986D73D2E7D9CC0146D5

Function 000E4AD5 Relevance: 9.1, APIs: 6, Instructions: 70COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(00000017,?), ref: 000E4AE1
memset.VCRUNTIME140(?,00000000,00000003), ref: 000E4B07
memset.VCRUNTIME140(?,00000000,00000050), ref: 000E4B91
IsDebuggerPresent.KERNEL32 ref: 000E4BAD
SetUnhandledExceptionFilter.KERNEL32(00000000), ref: 000E4BC6
UnhandledExceptionFilter.KERNEL32(?), ref: 000E4BD0

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionFilterPresentUnhandledmemset$DebuggerFeatureProcessor
String ID:
API String ID: 1045392073-0
Opcode ID: 289c9943ab7b3ff5599800af2039f4a30d349e7011d259086229f494faf903b2
Instruction ID: 822a1a63cec81f0b29ebcb420024f875f14e20ba39eed82cf94bbb2cba017022
Opcode Fuzzy Hash: 289c9943ab7b3ff5599800af2039f4a30d349e7011d259086229f494faf903b2
Instruction Fuzzy Hash: 6431F9B5D05318DBDB60DF65D949BCDBBF8AF08700F1041AAE50DAB250EB709AC58F45

Function 000DAE20 Relevance: 6.4, APIs: 1, Strings: 3, Instructions: 353COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000DB057

Part of subcall function 000CE970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000CE979

Strings

@PG@Q5, xrefs: 000DB2A6
lp4<, xrefs: 000DAFEF
XI3;, xrefs: 000DAF55

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5$XI3;$lp4<
API String ID: 220543977-3768292294
Opcode ID: 24203bf2e6d04bf4668dec519fece90a5c1585296b2a420ac066bd1482b45fcd
Instruction ID: 1dafec49bb77c91820c36cca2f6c2dca61d1b0718b9c96c61f22b30da41be7b7
Opcode Fuzzy Hash: 24203bf2e6d04bf4668dec519fece90a5c1585296b2a420ac066bd1482b45fcd
Instruction Fuzzy Hash: FA020575A04229CFDB69CF18C8A0BA9B7B1BF49704F1581DED9496B311DB31AE85CF80

Function 000D3710 Relevance: 6.2, APIs: 4, Instructions: 170stringCOMMON

Download Yara Rule

APIs

Process32FirstW.KERNEL32(00000000,0000022C), ref: 000D37E2
wcstombs.API-MS-WIN-CRT-CONVERT-L1-1-0(?,?,00000104), ref: 000D3813
strstr.VCRUNTIME140(?,?), ref: 000D3825
Process32NextW.KERNEL32(?,0000022C), ref: 000D383F

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Process32$FirstNextstrstrwcstombs
String ID:
API String ID: 2424144712-0
Opcode ID: 4c4917be0c1752b62cbccd192283973ab89af1d841abda1c7b46a13b1f5a3f05
Instruction ID: cfc975a406c945a4ab4a0bf0af215385b27a6b257a6cba723c65ad39c786080f
Opcode Fuzzy Hash: 4c4917be0c1752b62cbccd192283973ab89af1d841abda1c7b46a13b1f5a3f05
Instruction Fuzzy Hash: E2619E74A042198FCB25CF18C890AA9B3F9EF49714F1541EAE8499B351DB31BF85CF90

Function 000C0D00 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 292COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C1035

Strings

\u%04x, xrefs: 000C0F12
%.2X, xrefs: 000C0DE1, 000C0FFF

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn
String ID: %.2X$\u%04x
API String ID: 3668304517-1814277092
Opcode ID: fdaec9b3387afcf6d99b04047e9fae4195d3b6a8c2e55e2c8b9bc2d6ff2c14cc
Instruction ID: b19ee9f434ff3be830b2d46b392434a439ef6b9a8204baf2a3a99af0674305e1
Opcode Fuzzy Hash: fdaec9b3387afcf6d99b04047e9fae4195d3b6a8c2e55e2c8b9bc2d6ff2c14cc
Instruction Fuzzy Hash: 2DB1BF31E00115DBC724CFA8C894BBEBBB1EF49300F24826EE515EB656D6329A85CB91

Function 000E3EAF Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 32windowCOMMON

Download Yara Rule

APIs

GetLocaleInfoEx.KERNEL32(!x-sys-default-locale,20000001,?,00000002,7096605D,?,000AF623,?,7096605D), ref: 000E3EC3
FormatMessageA.KERNEL32(00001300,00000000,00000000,?,7096605D,00000000,00000000,?,?,000AF623,?,7096605D), ref: 000E3EEA

Strings

!x-sys-default-locale, xrefs: 000E3EBE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: FormatInfoLocaleMessage
String ID: !x-sys-default-locale
API String ID: 4235545615-2729719199
Opcode ID: 3a1d4dbc6839e2e1add12fedab508cbaf72fb1256e04c8242b2208b307350bbb
Instruction ID: 86cec4ba7f735707c3582dda2c0cf0e0027196f173d2da13395f980e4c398c47
Opcode Fuzzy Hash: 3a1d4dbc6839e2e1add12fedab508cbaf72fb1256e04c8242b2208b307350bbb
Instruction Fuzzy Hash: FAF03075610109FFEB149BD6DC0ADEB7AACEB09790B404019B602E7190E2B0AF809760

Function 00112A40 Relevance: 5.2, APIs: 4, Instructions: 174COMMON

Download Yara Rule

APIs

malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,-0000001A), ref: 00112AD1
memset.VCRUNTIME140(?,000000FF,0000002B,00000000,?), ref: 00112B0E
memset.VCRUNTIME140(?,000000FF,00000085,?,000000FF,0000002B,00000000,?), ref: 00112B25
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,00000000,?), ref: 00112BCD

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memset$freemalloc
String ID:
API String ID: 2494952999-0
Opcode ID: 891058f36bf29962fa8a22450cb1ed2f65205176a236dce2475b05ffd6dca891
Instruction ID: 6035f38cac67e7344442fca84de3664391d032219adb641bfca03467d438c66e
Opcode Fuzzy Hash: 891058f36bf29962fa8a22450cb1ed2f65205176a236dce2475b05ffd6dca891
Instruction Fuzzy Hash: B9514531A083858BD32DCF28D8413FAB7E5EFD6300F04856EE586C7252EB3099A5C752

Function 000A3920 Relevance: 4.2, Strings: 3, Instructions: 456COMMON

Download Yara Rule

Strings

1.C, xrefs: 000A3E34
`|a{U, xrefs: 000A39BC
\T\US[?, xrefs: 000A3EBB

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: 1.C$\T\US[?$`|a{U
API String ID: 0-1763564542
Opcode ID: c14506758d3ff1c1c5cdfd893601e116c62598a14071db8ae678f1ef76297138
Instruction ID: 9b769a8316c63c100fb32917b2c4929520a97053f5b4abd9f062c25ea3314512
Opcode Fuzzy Hash: c14506758d3ff1c1c5cdfd893601e116c62598a14071db8ae678f1ef76297138
Instruction Fuzzy Hash: 27121675D157868BEB03DF79C8013EAF7B5AFA7244F14D32AE81076662E771A2C28740

Function 000D14A0 Relevance: 3.9, Strings: 3, Instructions: 121COMMON

Download Yara Rule

Strings

G'xC, xrefs: 000D14EB
hXMV, xrefs: 000D1604
hXMV, xrefs: 000D1619

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: G'xC$hXMV$hXMV
API String ID: 0-3779631648
Opcode ID: 50508bc3039249cb14c855d443deadfc8235660e030ec7e7d58a83e75d0ec4e7
Instruction ID: acd25248289b35366b45d67d236ddd552d1282f4b9a3f4cbdb0b2d0cded08937
Opcode Fuzzy Hash: 50508bc3039249cb14c855d443deadfc8235660e030ec7e7d58a83e75d0ec4e7
Instruction Fuzzy Hash: 2C51CCB4D18658ABCB04CFA9E881ADDFBB5FF49310F14822AE859BB350E7306905CF54

Function 000B1ED0 Relevance: 3.8, APIs: 1, Strings: 1, Instructions: 258COMMON

Download Yara Rule

APIs

Part of subcall function 000C26A0: memmove.VCRUNTIME140(00000000,00000000,000B4792,?,00000000), ref: 000C276D

___std_fs_get_current_path@8.LIBCPMT ref: 000B1F82

Strings

.tex, xrefs: 000B2121

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ___std_fs_get_current_path@8memmove
String ID: .tex
API String ID: 2466531287-1946526065
Opcode ID: 3ba05571a48acc0367ede284345740aa7a0d452c271f1ac1a1f7a88b0520af00
Instruction ID: d82ccc1e55fb5bfd763876794f4428833915fa30f1596af419dc6aae13d85cea
Opcode Fuzzy Hash: 3ba05571a48acc0367ede284345740aa7a0d452c271f1ac1a1f7a88b0520af00
Instruction Fuzzy Hash: FBA178B0A043459FCB24CF28C854AAEFBF1FF88704F148A2EE495A7351E771A945CB91

Function 000D9920 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000D9B57

Part of subcall function 000CE970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000CE979

Strings

@PG@Q5, xrefs: 000D9DA6

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5
API String ID: 220543977-96674166
Opcode ID: 5155f1993fbe6b643d26b0b387e233c5f64988ddec86be47658aefaca835b0a7
Instruction ID: 2c2b3f264bb8f1f6f2c202836a66a9a9d77c52699506737ce8aa2599f052b45c
Opcode Fuzzy Hash: 5155f1993fbe6b643d26b0b387e233c5f64988ddec86be47658aefaca835b0a7
Instruction Fuzzy Hash: C502F535A042298FDB69CF08C8A0BA9B7B1FF49704F1581DED94A6B351D770AE81CF80

Function 000DA770 Relevance: 3.4, APIs: 1, Strings: 1, Instructions: 353COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000DA9A7

Part of subcall function 000CE970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000CE979

Strings

@PG@Q5, xrefs: 000DABF6

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5
API String ID: 220543977-96674166
Opcode ID: 3c02480050c36ef2b1ffb672b27bea917f7d5d75e14e73814047a252fbb460ee
Instruction ID: 86c62cd049302f2719578a36d8135442a47b8fa6f24d99d861bc660811889a09
Opcode Fuzzy Hash: 3c02480050c36ef2b1ffb672b27bea917f7d5d75e14e73814047a252fbb460ee
Instruction Fuzzy Hash: 02020634A04225CFDB29CF18C8A0BA9B7B1FF49714F1581DAD94A6B311DB31AE81CF90

Function 000D67C1 Relevance: 3.2, APIs: 1, Strings: 1, Instructions: 184COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32 ref: 000D67CC

Part of subcall function 000CE970: __acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001), ref: 000CE979

Strings

@PG@Q5, xrefs: 000D6A29

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ErrorLast__acrt_iob_func
String ID: @PG@Q5
API String ID: 220543977-96674166
Opcode ID: 15a94194b80a8dc2b3f846a8fcb51cf5f4a4464b4da89615d4faa3c6e8ad9316
Instruction ID: 23d83b5944c85aea165d6c89e17f01f2ee6806ace71d076a517725f25d713930
Opcode Fuzzy Hash: 15a94194b80a8dc2b3f846a8fcb51cf5f4a4464b4da89615d4faa3c6e8ad9316
Instruction Fuzzy Hash: A2A1CE74905269CFEB25CF18C8A4BA9B7B1BF49304F1982DAD849AB351D731AE81CF50

Function 000D3550 Relevance: 3.2, APIs: 2, Instructions: 160threadCOMMON

Download Yara Rule

APIs

Thread32First.KERNEL32(00000000,0000001C), ref: 000D3613
Thread32Next.KERNEL32(00000000,0000001C), ref: 000D3640

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Thread32$FirstNext
String ID:
API String ID: 3555619780-0
Opcode ID: dccc6a72ff90af140b1fb4b636f611b7f25268e45a08c9fed7d68abbcda4899b
Instruction ID: 4311b25d8bb42340f26e1bfb73cd43da4f88637f4eb57924dfc41fc0c4dd177b
Opcode Fuzzy Hash: dccc6a72ff90af140b1fb4b636f611b7f25268e45a08c9fed7d68abbcda4899b
Instruction Fuzzy Hash: 0D517934A046198FCB24CF18C490EA9B7F5EF49714B1981AAD945AB362DB31EE05CBA0

Function 000D78C0 Relevance: 2.6, Strings: 2, Instructions: 122COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D797E
\~`[, xrefs: 000D7A05

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5$\~`[
API String ID: 0-873556266
Opcode ID: d46c8c3333c61131e484f6684df72202c23ce1dc60c4b606996c7b1cb0f805e2
Instruction ID: b95a0ab1689659fd8e9723160fea24a3a87d6669f8112cf5e491dd46974813cf
Opcode Fuzzy Hash: d46c8c3333c61131e484f6684df72202c23ce1dc60c4b606996c7b1cb0f805e2
Instruction Fuzzy Hash: 11512935A052258FDB29CF08C460BA9B7F1FF49704F1A41DEC94A6B751EB71AE41CB90

Function 000D7040 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D70F6
}Ej, xrefs: 000D708F

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5$}Ej
API String ID: 0-3380338130
Opcode ID: b81d24930289dfc7edafda75e13069b89f7040773c4bfd65e041393657ab633d
Instruction ID: 8e64cb3b5c1f51909e0858b3723f4d358a862d161005bbeeb41a5b793f65ca55
Opcode Fuzzy Hash: b81d24930289dfc7edafda75e13069b89f7040773c4bfd65e041393657ab633d
Instruction Fuzzy Hash: 9B511734A052258FDB29CF18C4A0B69B7F1FF49704F1A82DAC9596B751EB31AD42CB90

Function 000D8600 Relevance: 2.6, Strings: 2, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D86B6
&o4M, xrefs: 000D8745

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: &o4M$@PG@Q5
API String ID: 0-1811181629
Opcode ID: 3a033d83b8e84a3e5fe57955fd33e8a0e6ae583c750277a58572262160730a8d
Instruction ID: ce7ee5941c41e4240ebd5a59aba59a472af8be52b2d07c96224f63d18b4609fd
Opcode Fuzzy Hash: 3a033d83b8e84a3e5fe57955fd33e8a0e6ae583c750277a58572262160730a8d
Instruction Fuzzy Hash: 51513734A052258FDB29CF18C4A0BA9B7F1FF49714F1A81DEC94A6B752DB31AD41CB90

Function 000CACB0 Relevance: 1.8, APIs: 1, Instructions: 294COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(?), ref: 000CADC3

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: b31d11a702e8492ca9b49943c2349b24e448ab2a7e4a9a89bd964a62717c97de
Instruction ID: 27b6f003ae147149808330a2cf8f51defa5710feeac5f76b2a207b7160fd965e
Opcode Fuzzy Hash: b31d11a702e8492ca9b49943c2349b24e448ab2a7e4a9a89bd964a62717c97de
Instruction Fuzzy Hash: C0C14775A1064E9FCB15CFA8C480AADFBF1BF5A304F54866EE806EB345D730A941CB91

Function 000CB960 Relevance: 1.8, APIs: 1, Instructions: 285COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(7096605D,?,00000000), ref: 000CBA49

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: e6c8695dd06ec18bdd81a651f69fb576372d4bd5c406be9c51bada8c4f4560bd
Instruction ID: 0c0ca93cbe9ec68fff8c097794a14fc0606f458bc4155595fedc73a305c8a6d3
Opcode Fuzzy Hash: e6c8695dd06ec18bdd81a651f69fb576372d4bd5c406be9c51bada8c4f4560bd
Instruction Fuzzy Hash: B4B15871A04649CFCB15CFA8C490AADFBF1BF99300F54869EE846EB356D770A944CB90

Function 000CB320 Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(7096605D,?,00000000,?,?,?,?,?,?), ref: 000CB400

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: b9156b9dd71415d0708af5d924262f3a2f293022c900b09bcd362920717ce355
Instruction ID: ece02af78c3cc0e314c802f0b449019c68db2629f25a7bb99440040fc79f9df9
Opcode Fuzzy Hash: b9156b9dd71415d0708af5d924262f3a2f293022c900b09bcd362920717ce355
Instruction Fuzzy Hash: 66B13675A0464A8FCB15CFA8D590BADFBF1BF99300F14865DE846EB356E730A940CB90

Function 000CB640 Relevance: 1.8, APIs: 1, Instructions: 282COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(7096605D,?,00000000,?,?,?,0013F4DD,000000FF), ref: 000CB720

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 1026e9b9449cadf6f700f81ee278d7c6f3188eeb317e37a6d4ee5fa1ed36f198
Instruction ID: 8dc2d9762d819673452e2154ce4d49d50b29435c5fc9defad5477aef8e92250d
Opcode Fuzzy Hash: 1026e9b9449cadf6f700f81ee278d7c6f3188eeb317e37a6d4ee5fa1ed36f198
Instruction Fuzzy Hash: BDB16875A0464A8FCB15CFA8C480AADFBF5FF89300F54865EE846EB355DB30A945CB90

Function 000CB000 Relevance: 1.8, APIs: 1, Instructions: 280COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(7096605D,?,00000000), ref: 000CB0DE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: 852568c7cbb9ec1cdfcf608c031931b860f8a941e9c343259af2e4ea3047b303
Instruction ID: 5f58285a4a0564d22bdafeb777f9ba20ac7217881aa5c03a086ed04a44f5df20
Opcode Fuzzy Hash: 852568c7cbb9ec1cdfcf608c031931b860f8a941e9c343259af2e4ea3047b303
Instruction Fuzzy Hash: 4CB15871A0464A8FCB15CFACC890AADFBF1BF99300F54865EE846EB345D731A944CB90

Function 000CBC90 Relevance: 1.8, APIs: 1, Instructions: 279COMMON

Download Yara Rule

APIs

?_Xbad_function_call@std@@YAXXZ.MSVCP140(00000000,7096605D,?,00000000), ref: 000CBD70

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Xbad_function_call@std@@
String ID:
API String ID: 1029415015-0
Opcode ID: f1928958fe2219b3db9bc2323a41972bc3c0f551ac3c0a8a43e5e92458610c08
Instruction ID: 561beba4db6f1ace2579d2307b5ed39a9c83c2a1afc1e50571c03c89a54468dc
Opcode Fuzzy Hash: f1928958fe2219b3db9bc2323a41972bc3c0f551ac3c0a8a43e5e92458610c08
Instruction Fuzzy Hash: 7EB13775A0064ACFCB15CFA9C890BADFBF1BB59300F54866DE806EB346D731A941CB90

Function 000E4763 Relevance: 1.7, APIs: 1, Instructions: 242COMMON

Download Yara Rule

APIs

IsProcessorFeaturePresent.KERNEL32(0000000A), ref: 000E4779

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: FeaturePresentProcessor
String ID:
API String ID: 2325560087-0
Opcode ID: 2017be6692ccf1ec0c4c2d2cb821bcc9ba3899d0bd681199202adabe58c2c660
Instruction ID: 038341afe95b2a5cd2a3e9223666eb01a56eafd96710169911d0423388b71b60
Opcode Fuzzy Hash: 2017be6692ccf1ec0c4c2d2cb821bcc9ba3899d0bd681199202adabe58c2c660
Instruction Fuzzy Hash: 27A14E71A00755CFDB18CF55D8856AEBBF8FB88325F18852AE415EB6A0D3349980CF61

Function 000CD020 Relevance: 1.6, APIs: 1, Instructions: 396COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 0a77085fcb5963fc2eef8a5b5570297ae71cff60d99f716f1182e5039cdd7ab5
Instruction ID: c2f067f0b3183319b57fc8a79b501ddd8f43ddf920c7e3d847b27c3e6d5a5653
Opcode Fuzzy Hash: 0a77085fcb5963fc2eef8a5b5570297ae71cff60d99f716f1182e5039cdd7ab5
Instruction Fuzzy Hash: 1EE10772E006698FDF18CF99D891AADBBB2FFD8310B19816ED95677344CA306D05CB90

Function 0010F990 Relevance: 1.6, APIs: 1, Instructions: 61COMMON

Download Yara Rule

APIs

BCryptGenRandom.BCRYPT(00000000,?), ref: 0010F9E0

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: CryptRandom
String ID:
API String ID: 2662593985-0
Opcode ID: 5e1654712904c906434571cdf865142510714535f15427a4940547ed9c297187
Instruction ID: dbf717ac190db24c2ce327cf88819eb4689386c0e4e47f038076a1417ad837c1
Opcode Fuzzy Hash: 5e1654712904c906434571cdf865142510714535f15427a4940547ed9c297187
Instruction Fuzzy Hash: 8E1159723043419AE720CE69ED42B37BBD8EB913A4F54057EF6C4D3AC2D761C8468751

Function 000D1A10 Relevance: 1.5, APIs: 1, Instructions: 258COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,000002C8,?,?), ref: 000D1BFE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memset
String ID:
API String ID: 2221118986-0
Opcode ID: 1ad058364b1136002c4fe3bd898f9ea0bb8425e4901b6ee1de7d1ec8705af3d8
Instruction ID: f95b1e2c0f8e58f7e02eb5800b6bc894f59777cd78d4f35a5a29e39d908222fd
Opcode Fuzzy Hash: 1ad058364b1136002c4fe3bd898f9ea0bb8425e4901b6ee1de7d1ec8705af3d8
Instruction Fuzzy Hash: E6C10574A412698FCB65CF18C898BACB7F5BF48300F1441EAD849AB351DB70AE86CF44

Function 000D5724 Relevance: 1.5, Strings: 1, Instructions: 239COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D59F6

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: f3540b0750918a85528bef4cd2139cbb4499d70764b605e26499184d3c91a6c7
Instruction ID: bcbe333f18bb463de0f9aad5aca3b8760460a2a312c4470f7dd7ae5dc483602f
Opcode Fuzzy Hash: f3540b0750918a85528bef4cd2139cbb4499d70764b605e26499184d3c91a6c7
Instruction Fuzzy Hash: 30B1F0349157558FDB16CF28C850BA4F3F4BF56246F15939AD8087B762EB30AA82CB40

Function 000C6020 Relevance: 1.5, APIs: 1, Instructions: 219COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 33d631b4bdaf249851533060080f146fcb6c016da732196145878b043f9a8052
Instruction ID: b230d6948b88d7b7b52735129b1b8e861507cc0666bd4458db1044aa57108a8f
Opcode Fuzzy Hash: 33d631b4bdaf249851533060080f146fcb6c016da732196145878b043f9a8052
Instruction Fuzzy Hash: 71713FB1E0051A9BCB24CFA9C845BAEF7B1FB84300F59866DD915E7345E732AA11CB80

Function 000C44A0 Relevance: 1.4, Strings: 1, Instructions: 192COMMON

Download Yara Rule

Strings

null, xrefs: 000C463B

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: null
API String ID: 0-634125391
Opcode ID: 0133ea7182bbc2d83d84aec650c074f79a1932be569d8447f68626ab2e91ca7d
Instruction ID: a4f9f376e0632db51d7267edf1343fdbb160fadc5de8b3af297dabfd292407da
Opcode Fuzzy Hash: 0133ea7182bbc2d83d84aec650c074f79a1932be569d8447f68626ab2e91ca7d
Instruction Fuzzy Hash: 38519470B0054C8FDB24EF68A422BEEB3F4EB49311F0041AEF91A9B693CE755A448781

Function 000D8D80 Relevance: 1.4, Strings: 1, Instructions: 177COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D8EE6

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 472d6c95894369a90536220468fcaf971d721e52a19bcfcbabc12aca65c68b28
Instruction ID: 4178e1b75c950621adcc716217fd71b44802286875e5f07a19f9411e25e4cc4f
Opcode Fuzzy Hash: 472d6c95894369a90536220468fcaf971d721e52a19bcfcbabc12aca65c68b28
Instruction Fuzzy Hash: 35713935A042258FCB69CF18C4A0AA9B7F2FF49704F1A85DEC94A6B751DB71AD41CF80

Function 000D7480 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D753E

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: b55b794135abbcd905933dbec6b4f3aeb724f5d8511f58edbb48873d9017c84c
Instruction ID: ee95c2c3a9221caa691926186982863d362a3af42008849d2706d348b8cca14c
Opcode Fuzzy Hash: b55b794135abbcd905933dbec6b4f3aeb724f5d8511f58edbb48873d9017c84c
Instruction Fuzzy Hash: 08514734A056258FDB29CF08C4A0BA5B7F1BF49704F1A81DAC94A6B365EB71AD41CF90

Function 000D7D00 Relevance: 1.4, Strings: 1, Instructions: 122COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D7DBE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: a824fe22e870b81de1846452366c129bde94d258aaef179cff184f734bf4c094
Instruction ID: d6387721ee6ea9bb4a2f85c0df72a8873decd0728111817679c7924b50d16de9
Opcode Fuzzy Hash: a824fe22e870b81de1846452366c129bde94d258aaef179cff184f734bf4c094
Instruction Fuzzy Hash: 38512734A056258FDB29CF18C4A0B69B7F2FF49704F1A41DAC94A6B761E731AD41CB90

Function 000D6390 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D6446

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 69d3c1a7c212f50ef33c7bf286afb484d78529b0d2733861eb4b1ff241a4d124
Instruction ID: 54c8aa3045be9c5666a196e1ab7c755520d1dcbb4e2715197982de3d79d1ff5d
Opcode Fuzzy Hash: 69d3c1a7c212f50ef33c7bf286afb484d78529b0d2733861eb4b1ff241a4d124
Instruction Fuzzy Hash: 54515D349012258FDB29CF08C4A0B69B7F1FF49708F1A41DEC9496B752D731AD81CB90

Function 000D5E00 Relevance: 1.4, Strings: 1, Instructions: 121COMMON

Download Yara Rule

Strings

@PG@Q5, xrefs: 000D5EB7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID: @PG@Q5
API String ID: 0-96674166
Opcode ID: 108a405056a81fbce8face58c7579f6b82013cc8552661a579d42ac91b68864d
Instruction ID: fa1e79412530f9f854c528df20a880579253d7764e42cb1e58b1b5cc536a487e
Opcode Fuzzy Hash: 108a405056a81fbce8face58c7579f6b82013cc8552661a579d42ac91b68864d
Instruction Fuzzy Hash: C5513935A006258FDB29DF08C8A0BA5B7F1FF49705F1A81DEC94A6B351DB31AE41CB90

Function 00102710 Relevance: .6, Instructions: 611COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7d60a3606484dc24ce4d1601d47de240b34fe84440918cfe58ec46acf4167f93
Instruction ID: d2d4ad574b53c86db6e02f72df38468c756c7658e1009486285a7e07cda8935d
Opcode Fuzzy Hash: 7d60a3606484dc24ce4d1601d47de240b34fe84440918cfe58ec46acf4167f93
Instruction Fuzzy Hash: BC2203B1A083458FD314CF18C48836AFBE1FBD8354F69492EE9D687381E7B5D9458B82

Function 000CA7B0 Relevance: .3, Instructions: 260COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88000c26879c6d980dd38b1d3d96e577baab3fdf4e85fee7c7d94d4b99381b1b
Instruction ID: d1faa12cd8a23e76def066979291b7e4d24f8bf389a8d89fcbdc78101f463553
Opcode Fuzzy Hash: 88000c26879c6d980dd38b1d3d96e577baab3fdf4e85fee7c7d94d4b99381b1b
Instruction Fuzzy Hash: 9EA18E75A0424ACFCB05CF68C480AADFBF1FF5A310F55829AE846EB346D730A945CB91

Function 000C9D80 Relevance: .2, Instructions: 195COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d7bea6773f5537e54d9dd6d036d0561177dc8cce868c3e38092e475c58123c9
Instruction ID: 92142c9a944a75bcbc919f127bdb8f0ed2f5deab35764afa33a184568a319d64
Opcode Fuzzy Hash: 3d7bea6773f5537e54d9dd6d036d0561177dc8cce868c3e38092e475c58123c9
Instruction Fuzzy Hash: B3512AB2E0051A8FCB14CFACC984AADB7F5FB58310F25826EE815E7740E731A910CB94

Function 000CD7C0 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e05db838be483252b6add9944f1ae81ed0819c3397a54c594c35cae1da87db9e
Instruction ID: c72597beebad36389b40eeaab940bdf1937f5eb400c2319bfe753d9b95e84c0f
Opcode Fuzzy Hash: e05db838be483252b6add9944f1ae81ed0819c3397a54c594c35cae1da87db9e
Instruction Fuzzy Hash: E271BFB5E002189FCB48CFA9D985A9DFBF1FF4C310B1581AAE819E7305D734AA518F94

Function 000D65C7 Relevance: .1, Instructions: 61COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 92cd6d70b484a2e5ff47d394f83d7b7b2b14b3a3b505d54de5a58e292943b035
Instruction ID: 3edb1a1e28e38f578a731ca3e39c7c311b8c97e551cf7d7ee87f8e1519bd3463
Opcode Fuzzy Hash: 92cd6d70b484a2e5ff47d394f83d7b7b2b14b3a3b505d54de5a58e292943b035
Instruction Fuzzy Hash: F62159346046158FDB29CF18C8A0E65B3B2FF95348F1981DEC85A5B366DB32ED46CB90

Function 000CEDA0 Relevance: .0, Instructions: 2COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction ID: 25aae2582423029eb19f4489c776d3d70638aac6ce1da4afce0c8a8e650509f3
Opcode Fuzzy Hash: 6cae658f33ca92bcc76ffcd72798f6487763aeebc788fd534dd3d52e563a93f0
Instruction Fuzzy Hash:

Function 000F65E0 Relevance: 28.9, APIs: 23, Instructions: 180COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F6658
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000088,00000000), ref: 000F667A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F6690
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F66B8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?), ref: 000F6758
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F676E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000), ref: 000F678A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?), ref: 000F67CA
free.API-MS-WIN-CRT-HEAP-L1-1-0 ref: 000F67E0
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F67F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?), ref: 000F680C
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?), ref: 000F6822
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 000F6838
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F684E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F6864
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F687A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F6890
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F68A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F68BC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?), ref: 000F68D2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000F68E8
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?,?,?), ref: 000F6909
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,00000000,00000D30), ref: 000F6935

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 41bfe48691643db65b6907b6d390d5d2667f0095558f067409994d9a50ddab4b
Instruction ID: e0c37e17ab34faefd4026d2b9ddfc1d9b1aede745067805c447b9e243cec8c94
Opcode Fuzzy Hash: 41bfe48691643db65b6907b6d390d5d2667f0095558f067409994d9a50ddab4b
Instruction Fuzzy Hash: AD812C70604602FFEB496BB0DC49BD5FAA5BF44305F000315F92C556A2CBBA60A8DBE2

Function 0010CD90 Relevance: 28.3, APIs: 13, Strings: 3, Instructions: 346COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CDE3
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CE7B
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CE9E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CEB1
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CEEF
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CF4D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CF74
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CF87
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010CFD9
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010D0EB
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010D0F7
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010D11D
fflush.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s,?,?,00000000,?,?,00000000,?,?,00000000,?,?,00000000), ref: 0010D214

Strings

%% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed, xrefs: 0010CE21
** Resuming transfer from byte position %lld, xrefs: 0010CE0E
%3lld %s %3lld %s %3lld %s %s %s %s %s %s %s, xrefs: 0010D1FE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$fflush
String ID: %3lld %s %3lld %s %3lld %s %s %s %s %s %s %s$ %% Total %% Received %% Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed$** Resuming transfer from byte position %lld
API String ID: 1893817590-1872798829
Opcode ID: 87da229a148c707d5e03d42a2614ae226786cf9416f2d6678c33889d402bd1b5
Instruction ID: 7144e356e099e8d91ab7257d3e6593bce74c788718cfa88d9028c4a85cb021bd
Opcode Fuzzy Hash: 87da229a148c707d5e03d42a2614ae226786cf9416f2d6678c33889d402bd1b5
Instruction Fuzzy Hash: 77D15075908745AFD320DB64D841B6BB7EAFF98700F004A1DFADD92291D7B5B8108F92

Function 000EE6F0 Relevance: 24.7, APIs: 12, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

__acrt_iob_func.API-MS-WIN-CRT-STDIO-L1-1-0(00000001,00000088,00000088,?,?,?,?,?,?,?,?,?,?,000F0088,?), ref: 000EE763
fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.,?,?,?,00000088,00000088,?), ref: 000EE7A2
calloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000001,?,?,?,?,?,00000088,00000088,?), ref: 000EE7C1
qsort.API-MS-WIN-CRT-UTILITY-L1-1-0(00000000,00000000,00000004,000EE9D0,?,?,?,?,?,?,00000088,00000088,?), ref: 000EE7FF
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,%s,00000000,?,?,?,?,?,?,?,?,?,?,?,00000088), ref: 000EE831
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,?,?,00000088,00000088,?), ref: 000EE844
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 000EE85E

Strings

# Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk., xrefs: 000EE79D
%s, xrefs: 000EE822

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$__acrt_iob_funccallocfclosefputsqsort
String ID: # Netscape HTTP Cookie File# https://curl.se/docs/http-cookies.html# This file was generated by libcurl! Edit at your own risk.$%s
API String ID: 935424440-959389649
Opcode ID: cbb6e194ac80860bbceffaa4c829ae96704b0e5ccd14a284c01f576dfe468432
Instruction ID: 426e9e9150a9654fef01962f98250dfedd9f9ddd244ffb40ca2d48685a3a41e2
Opcode Fuzzy Hash: cbb6e194ac80860bbceffaa4c829ae96704b0e5ccd14a284c01f576dfe468432
Instruction Fuzzy Hash: 83512A70A083C49FD7109F65ED457AB7BD8EF41345F080838FC89A6252E766D958C793

Function 000A1230 Relevance: 24.6, APIs: 4, Strings: 10, Instructions: 110COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,001516D4,?), ref: 000A1317
Concurrency::cancel_current_task.LIBCPMT ref: 000A134C
GetModuleHandleW.KERNEL32(00000000), ref: 000A1368

Strings

OllyDbg, xrefs: 000A127F
OLLYDBG, xrefs: 000A124D
x32dbg, xrefs: 000A1294
Cutter, xrefs: 000A1286
WinDbgFrameClass, xrefs: 000A1256
x64dbg, xrefs: 000A126A
Radare2, xrefs: 000A1278
Ghidra, xrefs: 000A1263
Cheat Engine, xrefs: 000A1271
PEExplorer, xrefs: 000A128D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_taskHandleModulememmove
String ID: Cheat Engine$Cutter$Ghidra$OLLYDBG$OllyDbg$PEExplorer$Radare2$WinDbgFrameClass$x32dbg$x64dbg
API String ID: 4272886007-698559490
Opcode ID: fc4168bcb7973a3513f6ca221afd1f202817086b141e00dade654dda54923c6d
Instruction ID: 4a4943590e370064fe50bcc9a3ee7642a40297573701aa30c85dcf7aa60c611a
Opcode Fuzzy Hash: fc4168bcb7973a3513f6ca221afd1f202817086b141e00dade654dda54923c6d
Instruction Fuzzy Hash: 6D31B4B5D00208EFCB01DFE4D9456DEBFB8EB0A341F440629EC15BB651E7709A58CB91

Function 000F7600 Relevance: 22.6, APIs: 18, Instructions: 96COMMON

Download Yara Rule

APIs

Part of subcall function 000FB110: free.API-MS-WIN-CRT-HEAP-L1-1-0(BE83378B,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000FB154

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,-00000050,00000070,00000040,00000028,000F2EB8,000F2EB8,Closing connection,000F2EB8,00000000,00000000,00000000,?,?,00000088), ref: 000F764F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F7666
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F767D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F7694
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000070,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F76A7
free.API-MS-WIN-CRT-HEAP-L1-1-0(-00000050,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F76B5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F76CB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F76E1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F76F7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F770D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F7723
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000028,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 000F7735
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000040), ref: 000F7747
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F7757
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F7767
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F777A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?), ref: 000F7796
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F77A7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c6ffe09d016828f32e6ebb22406176f1dcf82186da8f15080858239b3862c39c
Instruction ID: 475866ae082c1af8e63d1cf0d399e5ffb462fcaf645396e279adcce5cccecb1f
Opcode Fuzzy Hash: c6ffe09d016828f32e6ebb22406176f1dcf82186da8f15080858239b3862c39c
Instruction Fuzzy Hash: 2341CC75004700EFD7516F60DC48BC6BBB9FF49316F004908FA5E46661CBBA6498DF92

Function 00130760 Relevance: 21.2, APIs: 9, Strings: 3, Instructions: 172libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32(ntdll,RtlVerifyVersionInfo), ref: 0013078E
GetProcAddress.KERNEL32(00000000), ref: 00130795
memset.VCRUNTIME140(?,00000000,0000010C,00000000), ref: 001307FC
VerSetConditionMask.KERNEL32(00000000,00000000,00000002,?), ref: 00130861
VerSetConditionMask.KERNEL32(00000000,?,00000001,?), ref: 0013086B
VerSetConditionMask.KERNEL32(00000000,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00130888
VerSetConditionMask.KERNEL32(00000000,?,00000008,00000001,?,00000010,?,?,00000020,?,?,00000001,?), ref: 00130894
VerifyVersionInfoW.KERNEL32(?,00000033,00000000), ref: 001308BC
VerifyVersionInfoW.KERNEL32(?,00000004,00000000), ref: 00130949

Strings

ntdll, xrefs: 00130789
RtlVerifyVersionInfo, xrefs: 00130784
DMw, xrefs: 0013079B, 0013089B, 00130914

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ConditionMask$InfoVerifyVersion$AddressHandleModuleProcmemset
String ID: DMw$RtlVerifyVersionInfo$ntdll
API String ID: 2720349688-945717450
Opcode ID: affac60c6d2240b4a034b9f2a72f0d0926ad2dad2b745f2c2357a5402523c4c1
Instruction ID: 880e21a9667b4d82c4d1eb95004613ba7bd38856700642efab67671ab1658db3
Opcode Fuzzy Hash: affac60c6d2240b4a034b9f2a72f0d0926ad2dad2b745f2c2357a5402523c4c1
Instruction Fuzzy Hash: 6B511571608341EFE7219B64DC56BAF7BD8ABCD304F08481EF58D972A1C7B59884CB62

Function 00100E80 Relevance: 17.7, APIs: 5, Strings: 5, Instructions: 233COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.,?,00000000,000006DC,?,00000088), ref: 00100F13
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 00100FD8
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 00101005
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000006DC,?,00000088), ref: 00101013

Strings

%s%s "%s", xrefs: 00100F5F
# Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00100F0E
%d%02d%02d %02d:%02d:%02d, xrefs: 001010F6
unlimited, xrefs: 00100F4E
%s%s "%d%02d%02d %02d:%02d:%02d", xrefs: 00100FBB

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _unlinkfclosefputsfree
String ID: # Your HSTS cache. https://curl.se/docs/hsts.html# This file was generated by libcurl! Edit at your own risk.$%d%02d%02d %02d:%02d:%02d$%s%s "%d%02d%02d %02d:%02d:%02d"$%s%s "%s"$unlimited
API String ID: 820369455-2451391588
Opcode ID: fe2f393ca545ade90025fe759f22e09ec245a72a3ffb0c4345fd3d4d7a46a1cc
Instruction ID: be439ce7934fc141539f102c664023830b969481894f4035d7e4a773c80dede1
Opcode Fuzzy Hash: fe2f393ca545ade90025fe759f22e09ec245a72a3ffb0c4345fd3d4d7a46a1cc
Instruction Fuzzy Hash: 6E81D071604345AFDB14CF64D881A6BB7E8FF88314F044A2DF995D3291E7B5D884CB92

Function 0010E700 Relevance: 17.7, APIs: 9, Strings: 1, Instructions: 166fileCOMMON

Download Yara Rule

APIs

fopen.API-MS-WIN-CRT-STDIO-L1-1-0(?,001477C4,?,00000088,?,765C6BF0), ref: 0010E748
_fileno.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,?,?,765C6BF0), ref: 0010E764
_fstat64.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 0010E76E
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?), ref: 0010E79A

Part of subcall function 0010F990: BCryptGenRandom.BCRYPT(00000000,?), ref: 0010F9E0

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,%s%s.tmp,00000000,?), ref: 0010E86F
_fdopen.API-MS-WIN-CRT-MATH-L1-1-0(00000000,001477C4), ref: 0010E8A8
_close.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 0010E8BC
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(00000000), ref: 0010E8C3
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,765C6BF0), ref: 0010E8DE

Strings

%s%s.tmp, xrefs: 0010E862

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$CryptRandom_close_fdopen_fileno_fstat64_unlinkfclosefopen
String ID: %s%s.tmp
API String ID: 2683694328-1935936288
Opcode ID: 1800415b44e58d55ee2a9f0a4ec2f337c93de17304b8f7a2c52fc929722d5373
Instruction ID: 818d8783a084631bd97df1ba32f88e6a9e128b04fb87e62c5b018ad6af33e1f3
Opcode Fuzzy Hash: 1800415b44e58d55ee2a9f0a4ec2f337c93de17304b8f7a2c52fc929722d5373
Instruction Fuzzy Hash: 01511031908304AFE7209B25CC45BAB77E8AB45304F044D3AF8C5D72D2E7B6D949CB92

Function 000CD4B0 Relevance: 16.7, APIs: 10, Strings: 1, Instructions: 152COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000040,?,00000020), ref: 000CD4E7
memset.VCRUNTIME140(?,00000036,00000040,?,00000020), ref: 000CD4F7
memset.VCRUNTIME140(?,0000005C,00000040,?,?,?,?,00000020), ref: 000CD50A
memmove.VCRUNTIME140(?,?,00000040,?,?,?,?,?,?,?,00000020), ref: 000CD5C8
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000050,?,?,?,?,?,?,?,?,?,?,00000020), ref: 000CD617
memmove.VCRUNTIME140(00000040,?,00000010,?,?,?,?,?,?,?,?,?,?,?,00000020), ref: 000CD64C
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000020), ref: 000CD66D
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000060), ref: 000CD674
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000020), ref: 000CD6CD
memmove.VCRUNTIME140(?,?,000B3B6D), ref: 000CD6ED

Strings

gj, xrefs: 000CD539

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset$freemalloc
String ID: gj
API String ID: 1323586892-4203073231
Opcode ID: 7dc8a4f5d4a0aeb3c15be7967b8d73e6754c197bf99cac84f2946fec1c72c21e
Instruction ID: ba7e15437c2ebcda429caeb5d713bbc7ea9a6a126ada888f85e26e7063c96cbf
Opcode Fuzzy Hash: 7dc8a4f5d4a0aeb3c15be7967b8d73e6754c197bf99cac84f2946fec1c72c21e
Instruction Fuzzy Hash: 3C619271D0475C97DB219F68DD05BEEB3B4BF69304F04A2A5E94CB6112FB706AD88B80

Function 000C2BA0 Relevance: 16.2, APIs: 8, Strings: 1, Instructions: 411COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000078,7096605D,?,?), ref: 000C2C07
__std_exception_destroy.VCRUNTIME140(?,?), ref: 000C2D7C
__std_exception_destroy.VCRUNTIME140(?), ref: 000C2D92
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C2E16
__std_exception_destroy.VCRUNTIME140(?,?,?,?), ref: 000C2FE1
__std_exception_destroy.VCRUNTIME140(?), ref: 000C2FF7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000C3081
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,7096605D,?,?), ref: 000C316A

Strings

value, xrefs: 000C2C99, 000C2EF2

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$_invalid_parameter_noinfo_noreturn$memset
String ID: value
API String ID: 2005958071-494360628
Opcode ID: 2edbfaac5cba1ae17b6202704009e3ee98c1aa0d2a997d8012b147ba5c9fe403
Instruction ID: 3010d3da38027c1b16bf9bc91907de0e57831423d948abfc2c330079e560a2ca
Opcode Fuzzy Hash: 2edbfaac5cba1ae17b6202704009e3ee98c1aa0d2a997d8012b147ba5c9fe403
Instruction Fuzzy Hash: 30F1AC71D002588FDB28DB64CC95BEEBBB5AF05310F1482ADE449A7682DB706BC4CF91

Function 000F4180 Relevance: 15.0, APIs: 12, Instructions: 41COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,000F4AF6,00000020,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F4187
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F4196
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F41A6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F41B6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F41C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F41D6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F41E6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F41F6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F4206
free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000A,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F4216
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F4226
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,00000000,000F6674,00000000,00000088,00000000), ref: 000F4236

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: bc0942d53af3f6d000c51c603bb330f38400b9c91aea57e5c6c339c27554e5c1
Instruction ID: dbacb5801260077ace8986445cd0681cf571a69a6180aa18eca17b0f04ff32f1
Opcode Fuzzy Hash: bc0942d53af3f6d000c51c603bb330f38400b9c91aea57e5c6c339c27554e5c1
Instruction Fuzzy Hash: B711D075004B00EFDB615F91D908786BBF5FF08716F104E08F99E45AA0C7BAA099DF96

Function 000A1E50 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 212COMMON

Download Yara Rule

APIs

fgetc.API-MS-WIN-CRT-STDIO-L1-1-0(00000000), ref: 000A1EE0

Strings

]m, xrefs: 000A1FA5

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: fgetc
String ID: ]m
API String ID: 2807381905-1371441723
Opcode ID: 5d13f4fecd98f95502462e24c2432364c71b1a89eec754f2a3410b8714d0e7e3
Instruction ID: 49c401f826ac889d03fed7cb22f79e04ba8435c117dd5b033d301b78628abd3e
Opcode Fuzzy Hash: 5d13f4fecd98f95502462e24c2432364c71b1a89eec754f2a3410b8714d0e7e3
Instruction Fuzzy Hash: B8917F71D00109DFCB25CFA8C894AEEBBF5FF4A314F14862AE866A7651D730A945CF90

Function 000CDF60 Relevance: 14.2, APIs: 7, Strings: 1, Instructions: 194COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,00000060,7096605D,00000000,00000000), ref: 000CDFE4

Part of subcall function 000B1060: GetProcessHeap.KERNEL32(000CE00A,7096605D,00000000,00000000), ref: 000B10A1

GetCurrentProcess.KERNEL32 ref: 000CE085
OpenProcessToken.ADVAPI32(00000000,00020008,?), ref: 000CE098
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,001515B4), ref: 000CE143
UnloadUserProfile.USERENV(00000000,00000000,none,00000004), ref: 000CE16E
CloseHandle.KERNEL32(00000000,none,00000004), ref: 000CE183

Part of subcall function 000CE760: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,7096605D,?,?,?,?,80070057,?), ref: 000CE7A8
Part of subcall function 000CE760: GetLastError.KERNEL32(?,?,?,?,80070057,?), ref: 000CE7AE
Part of subcall function 000CE760: GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000008,?,?,?,?,80070057,?), ref: 000CE830
Part of subcall function 000CE760: IsValidSid.ADVAPI32(?), ref: 000CE875
Part of subcall function 000CE760: GetLengthSid.ADVAPI32(?), ref: 000CE884
Part of subcall function 000CE760: CopySid.ADVAPI32(00000000,00000000,?), ref: 000CE899
Part of subcall function 000CE760: free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,80070057,?), ref: 000CE8C3

Part of subcall function 000CDDA0: ConvertSidToStringSidW.ADVAPI32(00000000,?), ref: 000CDDEB
Part of subcall function 000CDDA0: LocalFree.KERNEL32(?,?), ref: 000CDE02

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,80004005,7096605D,00000000,00000000), ref: 000CE1FA

Strings

none, xrefs: 000CE1C7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ProcessTokenfree$Information$CloseConvertCopyCurrentErrorFreeHandleHeapLastLengthLocalOpenProfileStringUnloadUserValidmemset
String ID: none
API String ID: 793324379-2140143823
Opcode ID: f67242e5acbe8b565a9085f4ffb7541121887519ca2fea481a5e45bf3373e1fc
Instruction ID: 9f89eb11813ab9f0903b28d88688cf9acb38eb3c21fe685e6c764c01c3fb4321
Opcode Fuzzy Hash: f67242e5acbe8b565a9085f4ffb7541121887519ca2fea481a5e45bf3373e1fc
Instruction Fuzzy Hash: 8671BE70D002899BDF14DFA4CD59BEEBBF4BF45304F14819DE905A7291EB74AA84CBA0

Function 0010E620 Relevance: 13.6, APIs: 9, Instructions: 89sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 000EED50: QueryPerformanceCounter.KERNEL32(765C6BF0,765C6BF0,?,?,765C6BF0), ref: 000EED63
Part of subcall function 000EED50: __alldvrm.LIBCMT ref: 000EED7D
Part of subcall function 000EED50: __ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EEDA4

_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?,00000000,?,00000000,?,765C6BF0), ref: 0010E643
_strdup.API-MS-WIN-CRT-STRING-L1-1-0(?), ref: 0010E64B
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0010E65C
Sleep.KERNEL32(00000001), ref: 0010E6A9
MoveFileExA.KERNEL32(00000000,00000000,00000001(MOVEFILE_REPLACE_EXISTING)), ref: 0010E6AF
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010E6C0
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010E6CA

Part of subcall function 000EED50: GetTickCount.KERNEL32 ref: 000EEDC1

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010E6E4
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0010E6EE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$FileMove_strdup$CountCounterPerformanceQuerySleepTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 2436438912-0
Opcode ID: d11b6de294789ae02c4cfe5bd7a619cff3c564c1f756f4f5b66ed95ca10f589b
Instruction ID: 7e08a9b615a78a0135a6f04c905ada9e553e5cdae474b7b955e3d880a31687ee
Opcode Fuzzy Hash: d11b6de294789ae02c4cfe5bd7a619cff3c564c1f756f4f5b66ed95ca10f589b
Instruction Fuzzy Hash: 75217831D003086BE2212726BC81AFF77A4EFD6754F080924FD4863262FB57E9D942E6

Function 000B89EE Relevance: 12.6, APIs: 4, Strings: 3, Instructions: 396COMMON

Download Yara Rule

APIs

Part of subcall function 000C1600: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000000,00000000,001A60AC), ref: 000C17BF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,CDCED9D8,?,00000001,00000000,?,message,success), ref: 000B8B27

Part of subcall function 000BA460: strtol.API-MS-WIN-CRT-CONVERT-L1-1-0(?,00000000,00000010,?,00000002,7096605D,1FFFB800), ref: 000BA550

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,?,?,?,?,?,?,CDCED9D8,?,00000001,00000000,?,message,success), ref: 000B8C67
memmove.VCRUNTIME140(?,?,?,?,00000000,?,?,?,?,?,?,?,?,CDCED9D8,?,00000001), ref: 000B8D0C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,CDCED9D8,?,00000001,00000000,?,message,success), ref: 000B8EA3

Strings

!, xrefs: 000B8CA1
success, xrefs: 000B8A12
message, xrefs: 000B8A25

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturn$memmovestrtol
String ID: !$message$success
API String ID: 43302329-2055558241
Opcode ID: 5163ed697bcd93110ea3dda0484100689906f1701131f81951aa697b379a6fa3
Instruction ID: a72a483c328368b8a83a44dea6ce6517532a4c3215d24ca4d1aabf2f354c1592
Opcode Fuzzy Hash: 5163ed697bcd93110ea3dda0484100689906f1701131f81951aa697b379a6fa3
Instruction Fuzzy Hash: 00F112719001588FDB18DB24CC98BEDBBB5AF45300F14C2E9E05AAB6A2CB749EC4DF51

Function 000C8033 Relevance: 12.6, APIs: 5, Strings: 2, Instructions: 387COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140 ref: 000C8881
__std_exception_destroy.VCRUNTIME140(?), ref: 000C8897
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000C891F
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 000C8A02
__std_exception_destroy.VCRUNTIME140(?), ref: 000C8A18

Strings

object key, xrefs: 000C8931
object separator, xrefs: 000C87B0

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$_invalid_parameter_noinfo_noreturn
String ID: object key$object separator
API String ID: 2506729964-2279923633
Opcode ID: f00fb11ec31371234181c24c4002f732218431f18ef735871e4f957fa1e45355
Instruction ID: fdf7c3539c85d4a380c88110023154d9f9f7b2dc13f78485326bef1f495e0c69
Opcode Fuzzy Hash: f00fb11ec31371234181c24c4002f732218431f18ef735871e4f957fa1e45355
Instruction Fuzzy Hash: CBE1C270D002199FDB14CB68CC98FEEB7B5BF45300F14869DE50AE7682DB70AA84CB95

Function 00126140 Relevance: 12.5, APIs: 10, Instructions: 25COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00124E8F,?,?,000F9FA0,?), ref: 00126147
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00126150
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00126159
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00126162
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 0012616B
free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000F), ref: 00126174
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0012617D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00126186
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 0012618F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00126198

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 50198854adf494f17915e86c638855d875a3b1175c176dfb809fed927b4a8631
Instruction ID: da1c4495df666572a823984036cdf4804249521b7a106e9d48fe661f10fa6dba
Opcode Fuzzy Hash: 50198854adf494f17915e86c638855d875a3b1175c176dfb809fed927b4a8631
Instruction Fuzzy Hash: 09F09432010710EFCB211F65ED098C57BB9FF086127104E14F99A458B0C77B58E9DB82

Function 000FFFC0 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 184COMMON

Download Yara Rule

APIs

fputs.API-MS-WIN-CRT-STDIO-L1-1-0(# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk.,?,000006E0), ref: 0010003D
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,00000088), ref: 0010019C
_unlink.API-MS-WIN-CRT-FILESYSTEM-L1-1-0(?), ref: 001001CC
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000006E0), ref: 001001DA
fclose.API-MS-WIN-CRT-STDIO-L1-1-0(?,?,?,?,?,?,?,?,?,00000088), ref: 00100202

Strings

# Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk., xrefs: 00100038
%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d, xrefs: 0010017F

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: fclose$_unlinkfputsfree
String ID: # Your alt-svc cache. https://curl.se/docs/alt-svc.html# This file was generated by libcurl! Edit at your own risk.$%s %s%s%s %u %s %s%s%s %u "%d%02d%02d %02d:%02d:%02d" %u %d
API String ID: 549198444-1497203839
Opcode ID: 772899479aae7d2998269712b27ed045108df482c3489a5998b1791fc59f429c
Instruction ID: 5c6c2566724facbb4b83089509c6e7017430a2e55e2942beb77b57db27eb5389
Opcode Fuzzy Hash: 772899479aae7d2998269712b27ed045108df482c3489a5998b1791fc59f429c
Instruction Fuzzy Hash: 0161AEB5604301AFDB119F95DD44B2BBBEAFF88304F04082DF9C6962A1E7B1D858CB52

Function 000C9299 Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 182COMMON

Download Yara Rule

APIs

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

Part of subcall function 000AFB40: memmove.VCRUNTIME140(?,parse error,0000000B,00000000), ref: 000AFC20

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000C891F
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 000C8A02
__std_exception_destroy.VCRUNTIME140(?), ref: 000C8A18
__std_exception_destroy.VCRUNTIME140 ref: 000C9376
__std_exception_destroy.VCRUNTIME140(?), ref: 000C938C

Strings

value, xrefs: 000C92A5
object key, xrefs: 000C8931

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$memmove$_invalid_parameter_noinfo_noreturn
String ID: object key$value
API String ID: 2901057578-3662756203
Opcode ID: 341daeb2fcec278cd3d999d01f9906a48b0e4f14a940f8e48aa092a54f774b6b
Instruction ID: 4c1c2fbc283fcaa2ecda0076f05d9b4feaea22ae903b5e0fc47951f672854af9
Opcode Fuzzy Hash: 341daeb2fcec278cd3d999d01f9906a48b0e4f14a940f8e48aa092a54f774b6b
Instruction Fuzzy Hash: 1A71A271D0026C8BDB14DB64CC99BEEBB75BF05304F14829DE149AB692DB706AC88F51

Function 000C7C5C Relevance: 12.4, APIs: 5, Strings: 2, Instructions: 175COMMON

Download Yara Rule

APIs

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

Part of subcall function 000AFB40: memmove.VCRUNTIME140(?,parse error,0000000B,00000000), ref: 000AFC20

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000C72C0
__std_exception_destroy.VCRUNTIME140(?,00000000,object key,0000000A), ref: 000C73A3
__std_exception_destroy.VCRUNTIME140(?), ref: 000C73B9
__std_exception_destroy.VCRUNTIME140 ref: 000C7D39
__std_exception_destroy.VCRUNTIME140(?), ref: 000C7D4F

Strings

value, xrefs: 000C7C68
object key, xrefs: 000C72D2

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy$memmove$_invalid_parameter_noinfo_noreturn
String ID: object key$value
API String ID: 2901057578-3662756203
Opcode ID: 79c371250dff7467a702a2e934808f42229dca921f9d3f6e10f964d22a578fc2
Instruction ID: 85dc3c8e447eeccfaaaac082c3e175c49bdb69b89c157b5f79b273f98fc6c80f
Opcode Fuzzy Hash: 79c371250dff7467a702a2e934808f42229dca921f9d3f6e10f964d22a578fc2
Instruction Fuzzy Hash: D671AF71D002588BEB25DBA4CD99BEEBBB4AF05304F10829DE50DAB682D7746B84CF51

Function 000AE320 Relevance: 12.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFF,?,?,?,?), ref: 000AE3FC
memmove.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,?,?,?), ref: 000AE40A
memmove.VCRUNTIME140(?,?,?,?,?,?,00000000,7FFFFFFF,?,?,?,?), ref: 000AE41E
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?,?,?,?,?), ref: 000AE45B
memmove.VCRUNTIME140(00000000,?,?,?,?,?), ref: 000AE463
memmove.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,?,?,?,?), ref: 000AE46F
memmove.VCRUNTIME140(?,?,?,7FFFFFFF,?,?,00000000,?,?,?,?,?), ref: 000AE483

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000AE49D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 7f7b263bb41792a3f02ff2de6c08b910fd5ac690bc9f2c57c580f7a0e5e36510
Instruction ID: dce2d4de3dbec3c7feb1bd95e62c99907f302a6ed2dab3fcaaade52664321505
Opcode Fuzzy Hash: 7f7b263bb41792a3f02ff2de6c08b910fd5ac690bc9f2c57c580f7a0e5e36510
Instruction Fuzzy Hash: F941BE72D001599FCF15DFA8CC859AEBBB6BF49300B150269F815A7342D730DE619B91

Function 000CE760 Relevance: 12.2, APIs: 8, Instructions: 153COMMON

Download Yara Rule

APIs

GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000000,00000000,?,7096605D,?,?,?,?,80070057,?), ref: 000CE7A8
GetLastError.KERNEL32(?,?,?,?,80070057,?), ref: 000CE7AE
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,80070057,?), ref: 000CE7F9
GetTokenInformation.ADVAPI32(00000000,00000001(TokenIntegrityLevel),00000008,?,?,?,?,80070057,?), ref: 000CE830
IsValidSid.ADVAPI32(?), ref: 000CE875
GetLengthSid.ADVAPI32(?), ref: 000CE884
CopySid.ADVAPI32(00000000,00000000,?), ref: 000CE899
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,80070057,?), ref: 000CE8C3

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: InformationToken$CopyErrorLastLengthValidfreemalloc
String ID:
API String ID: 2357097940-0
Opcode ID: 804eddbe959cb5ceff80fc5bc20b84e06f36484b2a3289fc7279dec21a828f24
Instruction ID: b83768d8793612f0a3490d49d10f26c7afbbd6e4552b763b49ba6505eeee9a73
Opcode Fuzzy Hash: 804eddbe959cb5ceff80fc5bc20b84e06f36484b2a3289fc7279dec21a828f24
Instruction Fuzzy Hash: CC518271900285AFDB60DF65CC85FAEB7A8FF05700F14442DF509A7652DB35A998CBA0

Function 000CE510 Relevance: 12.1, APIs: 8, Instructions: 121COMMON

Download Yara Rule

APIs

_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000CE597
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000CE5A9
memmove.VCRUNTIME140(?,?,?,?,?), ref: 000CE5C0
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?), ref: 000CE60D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _errno$_invalid_parameter_noinfomemmove
String ID:
API String ID: 351588475-0
Opcode ID: 2f1616ac0e3b576b571b49691c78081897426a3434be0b3ebfe29e3cab4a4b1c
Instruction ID: 25d3ae0e5ebe2a3e915794fec30ebbb0608408ca73ffe9aa11543bccfb7d31b4
Opcode Fuzzy Hash: 2f1616ac0e3b576b571b49691c78081897426a3434be0b3ebfe29e3cab4a4b1c
Instruction Fuzzy Hash: 8B3137BAA10A50DFCB249F64DC49FAEB7E1EFA5340F10466DEC02DB354EB319C4086A1

Function 000AFB40 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 318COMMON

Download Yara Rule

APIs

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

memmove.VCRUNTIME140(?,parse error,0000000B,00000000), ref: 000AFC20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000002,00000000,0014F9AC,00000002,?,?,?,0000000B,00000000,parse error,0000000B,00000000), ref: 000AFECE
__std_exception_copy.VCRUNTIME140(?,0000000F,?,00000002,00000000,0014F9AC,00000002,?,?,?,0000000B,00000000,parse error,0000000B,00000000), ref: 000AFF20
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000AFF5F

Strings

parse_error, xrefs: 000AFBBF
parse error, xrefs: 000AFC1A, 000AFC33

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$__std_exception_copy
String ID: parse error$parse_error
API String ID: 2013804569-1820534363
Opcode ID: 6446b793abe6def5edb8b42806bea148c6aa4b626f0e72f96e738e92bbd70eb5
Instruction ID: d039c85b9d60a8eea2a53284ca19df217b7b34f912ed8e47468f2775329982c5
Opcode Fuzzy Hash: 6446b793abe6def5edb8b42806bea148c6aa4b626f0e72f96e738e92bbd70eb5
Instruction Fuzzy Hash: B1D1D571D00249DFDB18CFA4CD89BADFBB1FF46300F148269E414AB692D774AA85CB91

Function 000C3590 Relevance: 10.7, APIs: 7, Instructions: 182COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000001,?,00000001,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C3614
memmove.VCRUNTIME140(00000001,?,00000001,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C365F
memmove.VCRUNTIME140(?,DCC8DA8D,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C3675
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C36F6
memmove.VCRUNTIME140(00000002,DCC8DA8D,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C3726
memmove.VCRUNTIME140(DCC8DA8D,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C3743
Concurrency::cancel_current_task.LIBCPMT ref: 000C375B

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: b3546f7e61527bf1cd4072797bff3ce302e6e53cae58e1e3fe1cf0657ea84b98
Instruction ID: 8a2a9ee7e8ff31661b7c219ff00d5141a49b920365014422a4b60762004f0f59
Opcode Fuzzy Hash: b3546f7e61527bf1cd4072797bff3ce302e6e53cae58e1e3fe1cf0657ea84b98
Instruction Fuzzy Hash: 47518EB1A102059BCB24DF68D885BAEB7F4FF45304F14876EE4159B702E731EA94CBA1

Function 000BDE00 Relevance: 10.6, APIs: 7, Instructions: 113COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(7096605D,00000000,00000000), ref: 000BDE3D
??0?$basic_istream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 000BDE5B
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 000BDE85
?_Xbad_alloc@std@@YAXXZ.MSVCP140 ref: 000BDEB3
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000BDEE4

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

memmove.VCRUNTIME140(00000000,000BB7BD,CC8BFFFF), ref: 000BDEFA
Concurrency::cancel_current_task.LIBCPMT ref: 000BDF3F

Part of subcall function 000A15F0: _CxxThrowException.VCRUNTIME140(?,00155D48,?,?,?,75570E50), ref: 000A1607
Part of subcall function 000A15F0: __std_exception_copy.VCRUNTIME140(?,00000000,?,?,?,00155D48,?,?,?,75570E50), ref: 000A162E

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_istream@??0?$basic_streambuf@Concurrency::cancel_current_taskD@std@@@1@_ExceptionThrowV?$basic_streambuf@Xbad_alloc@std@@__std_exception_copy_invalid_parameter_noinfo_noreturnmallocmemmove
String ID:
API String ID: 3583517682-0
Opcode ID: 61c5317c31daa717307125464e92b35082735ef6f12d21329e6cd5fd7d37e580
Instruction ID: b87f1f8c8afd742be798e534c1ebdd7acb307cfd1318f8f9794e7e702e163370
Opcode Fuzzy Hash: 61c5317c31daa717307125464e92b35082735ef6f12d21329e6cd5fd7d37e580
Instruction Fuzzy Hash: 9D417CB5900204DFCB11DF58C884B9ABBF8FF09310F11456AE8169B791E771ED44CBA1

Function 000EEB90 Relevance: 10.6, APIs: 7, Instructions: 90COMMON

Download Yara Rule

APIs

_time64.API-MS-WIN-CRT-TIME-L1-1-0(00000000,00000088,00000088), ref: 000EEB97
free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000F,?), ref: 000EEC44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EEC4D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000EEC56
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EEC5F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EEC68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EEC6F

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$_time64
String ID:
API String ID: 3087401894-0
Opcode ID: 31e5275b6f345803b6ee951fe70a0dcec637e1af2af5c3de085bc1c07a769c80
Instruction ID: 6fde38e660513e9be7f0beff71a663e2da09d336fc9f5d63f42b4f0d14392699
Opcode Fuzzy Hash: 31e5275b6f345803b6ee951fe70a0dcec637e1af2af5c3de085bc1c07a769c80
Instruction Fuzzy Hash: 1F31AF71504784CFCB24CF15D88459ABBF0FF88311F244A79FD9AAB2A5C771A885CB92

Function 000EF570 Relevance: 10.6, APIs: 7, Instructions: 71synchronizationCOMMON

Download Yara Rule

APIs

WaitForSingleObject.KERNEL32(?,000000FF,00000000,?,000EA8B5,?), ref: 000EF59B
CloseHandle.KERNEL32(?,?,000000FF,00000000,?,000EA8B5,?), ref: 000EF5A3
EnterCriticalSection.KERNEL32(?,000006DC,?,00000000,00000088,000F6784,00000000), ref: 000EF6F0
LeaveCriticalSection.KERNEL32(?,?,00000000,00000088,000F6784,00000000), ref: 000EF703
CloseHandle.KERNEL32(00000000,?,00000000,00000088,000F6784,00000000), ref: 000EF714
closesocket.WS2_32(?), ref: 000EF77E
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,00000088,000F6784,00000000), ref: 000EF78F

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: CloseCriticalHandleSection$EnterLeaveObjectSingleWaitclosesocketfree
String ID:
API String ID: 768628753-0
Opcode ID: 793189ded28bd9248cd01cb0f655970061b6e2664de005300ea8990afb58f02b
Instruction ID: 03d83f3b170e3f6b0837999b175bcce7644dcf7d23632027c87188e2f743ca4c
Opcode Fuzzy Hash: 793189ded28bd9248cd01cb0f655970061b6e2664de005300ea8990afb58f02b
Instruction Fuzzy Hash: 8E21C5B6104B42FFD7109F25DC48BA6BBE4BF45355F040428EA59A3661C771F890CB91

Function 000F9EE0 Relevance: 10.0, APIs: 8, Instructions: 32COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000088,000F66E3,00000000,00000088), ref: 000F9EEB
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F01
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F17
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F2D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F43
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F59
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F6F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F9F85

Part of subcall function 00124E80: free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,000F9FA0,?), ref: 00124E90

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 566d98786dfa8b2e26c850212567a38eb168cbc5472981bd807c228c69f08d97
Instruction ID: 1ab939003e80074599433eebac1579fe18eb12388b6c2e2c24111f900ab5cd14
Opcode Fuzzy Hash: 566d98786dfa8b2e26c850212567a38eb168cbc5472981bd807c228c69f08d97
Instruction Fuzzy Hash: 1B110679004B40EFEB655F64D858BC6BBA5BB08306F100A08F9AE55660CBBA20D8DF52

Function 000C4960 Relevance: 9.4, APIs: 6, Instructions: 445COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2580228974-0
Opcode ID: 0fb89dc4728012d109799890a294df57fb8cd4434f8277744e5cd72b1f58df43
Instruction ID: 19637d361d58427a663b7e737778dda1ec44ccacfd3e12160ff9449779da9ee3
Opcode Fuzzy Hash: 0fb89dc4728012d109799890a294df57fb8cd4434f8277744e5cd72b1f58df43
Instruction Fuzzy Hash: BD12BF34908645CFCB21CF64C490BAEBBF1BF16304F244A9DD0569B752D336E946CBA1

Function 000BD5EC Relevance: 9.2, APIs: 6, Instructions: 243COMMON

Download Yara Rule

APIs

??1?$basic_streambuf@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BD5EC
??1?$basic_ostream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BD5F8
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BD604
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BD838
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BD844
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,00000000,\Debug,?), ref: 000BD963
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140(7FFFFFFF,?,00000000,?,00000000,-00000002), ref: 000BD9D8

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$??1?$basic_ios@??1?$basic_istream@$??1?$basic_ostream@??1?$basic_streambuf@_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2127113060-0
Opcode ID: 3d349a27b383779b89d2113f3d5263040ea425c1ee7c107a4c92d686708d1dac
Instruction ID: 7dfff24c707bb6c12ddc247c8de8d9341d63e4af316c158d29220fda8704f10c
Opcode Fuzzy Hash: 3d349a27b383779b89d2113f3d5263040ea425c1ee7c107a4c92d686708d1dac
Instruction Fuzzy Hash: 4791A0719001548FDB1D9F28DCD97EDB7B5AB41300F1482A9E449ABAA6EB349FC19F40

Function 000BEFA0 Relevance: 9.2, APIs: 6, Instructions: 192COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,0000026C,7096605D,00000000,00000000), ref: 000BF044

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

memset.VCRUNTIME140(?,00000000,00000040), ref: 000BF0E3
localeconv.API-MS-WIN-CRT-LOCALE-L1-1-0 ref: 000BF0EB
memset.VCRUNTIME140(?,00000000,00000200), ref: 000BF134
memset.VCRUNTIME140(00000000,00000020,00000200), ref: 000BF17D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,00000000,00000000,00000000), ref: 000BF205

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memset$_invalid_parameter_noinfo_noreturnlocaleconvmalloc
String ID:
API String ID: 4120556116-0
Opcode ID: a8441771e333803ee5476a552e73f382f4d66d5f9a338860ef44b00065ec2b7d
Instruction ID: 5ffa94773c995c051e75ce988857255158b059596872a9be06501c17945beb82
Opcode Fuzzy Hash: a8441771e333803ee5476a552e73f382f4d66d5f9a338860ef44b00065ec2b7d
Instruction Fuzzy Hash: 4A81ACB4D01358DFDB20CF68CC89799BBF0AF45314F2442A9E449AB381DBB56A84CF91

Function 000C2820 Relevance: 9.2, APIs: 6, Instructions: 152COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFF,?,00000000), ref: 000C28EF
memset.VCRUNTIME140(?,?,?,00000000,7FFFFFFF,?,00000000), ref: 000C28FD
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,00000000), ref: 000C2940
memmove.VCRUNTIME140(00000000,?,?,00000000), ref: 000C2948
memset.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,?,00000000), ref: 000C2954

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000C2974

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 4119555314-0
Opcode ID: ddaee8c1608b85c708f585bf4861c8528b0bc14cf5286943853b5ea3a6659d7a
Instruction ID: 115c529c59de546508414dc5516602f632c0da5fa972f04cbee35031ca5d75e9
Opcode Fuzzy Hash: ddaee8c1608b85c708f585bf4861c8528b0bc14cf5286943853b5ea3a6659d7a
Instruction Fuzzy Hash: 6041F272A001149FCB15EFA8C881AAEB7E5FF88310F15066EE815EB742DB30DE559B91

Function 000ADFC0 Relevance: 9.1, APIs: 6, Instructions: 137COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 000AE08E
memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 000AE09C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 000AE0DF
memmove.VCRUNTIME140(00000000,?,00000000,?,?), ref: 000AE0E7
memmove.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,00000000,?,?), ref: 000AE0F3

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000AE113

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: f8a10e3b7e6b31b7396b476c9f66fad07869514f6eb5d01014c7457b478e22b9
Instruction ID: 1b911b7b8ea0002ae9b3b5b220efa6c3eecd16fd83acbf3169b56385760b1dc6
Opcode Fuzzy Hash: f8a10e3b7e6b31b7396b476c9f66fad07869514f6eb5d01014c7457b478e22b9
Instruction Fuzzy Hash: 0341E072E001549FCB15EFACDC81AAEB7F6AF4A300F154269E811EB302D771DE518B91

Function 000C9620 Relevance: 9.1, APIs: 6, Instructions: 134COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,?,?), ref: 000C96EC
memmove.VCRUNTIME140(00000000,00000001,00000001,00000000,00000000,?,?), ref: 000C96FA
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?), ref: 000C9737
memmove.VCRUNTIME140(00000000,00000000,?,?), ref: 000C973D
memmove.VCRUNTIME140(00000000,?,00000001,00000000,00000000,?,?), ref: 000C9747

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000C9761

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: ac2b61360818742589382e44f3df5f2375a55ef2875d9f6887f1b566b7023138
Instruction ID: 2cb0d5e26e48ff26a6114904bdcf40c5a5a44d400a2c68e72b8ae3774671b2df
Opcode Fuzzy Hash: ac2b61360818742589382e44f3df5f2375a55ef2875d9f6887f1b566b7023138
Instruction Fuzzy Hash: 5F4103B2D001149FCB14AF68DC89AAEB7E9EB44350B1502BDE815E7352EB309E109BD0

Function 000BF840 Relevance: 9.1, APIs: 6, Instructions: 129COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,?,?), ref: 000BF882
memset.VCRUNTIME140(?,?,?), ref: 000BF90F
Concurrency::cancel_current_task.LIBCPMT ref: 000BF92E
??1?$basic_istream@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BF96F
??1?$basic_ios@DU?$char_traits@D@std@@@std@@UAE@XZ.MSVCP140 ref: 000BF977

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@memset$??1?$basic_ios@??1?$basic_istream@Concurrency::cancel_current_task
String ID:
API String ID: 915423947-0
Opcode ID: 8f65704c36eb7f537f2e676645e4cb8a295e184317f2c1b6392f42ffd5aca2e3
Instruction ID: 9ae57c5baf830a6954721ccbd74e5f1478e6d4b95c15483f0f74c50e40fc1a26
Opcode Fuzzy Hash: 8f65704c36eb7f537f2e676645e4cb8a295e184317f2c1b6392f42ffd5aca2e3
Instruction Fuzzy Hash: EE4115B66003459FD3209F68D884AEEBBE8EF85710F14063EF8568B352DB719A4487A1

Function 000CEAB0 Relevance: 9.1, APIs: 6, Instructions: 107COMMON

Download Yara Rule

APIs

_Query_perf_frequency.MSVCP140 ref: 000CEABE
_Query_perf_counter.MSVCP140 ref: 000CEACA
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000CEB0E
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000CEB41
__alldvrm.LIBCMT ref: 000CEB58
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000CEB7D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@$Query_perf_counterQuery_perf_frequency__alldvrm
String ID:
API String ID: 1339266948-0
Opcode ID: 005f491885a3a84e912c8f7315b60a5f7ee16bfeee1619c2cea99a8a3cc130b2
Instruction ID: 40a12150d75fca80196d5d25afddb8c0ed96db302ee5d5df1c249a9ede59c421
Opcode Fuzzy Hash: 005f491885a3a84e912c8f7315b60a5f7ee16bfeee1619c2cea99a8a3cc130b2
Instruction Fuzzy Hash: 5D218471A002187EEB149B698C89F7FBBFCEB84750F1041A9F909F7241E7705D004BA4

Function 000C10E0 Relevance: 9.1, APIs: 6, Instructions: 101COMMON

Download Yara Rule

APIs

?_Fiopen@std@@YAPAU_iobuf@@PBDHH@Z.MSVCP140(00000001,?,00000040,7096605D,?,?,?,000B3106,?,00000001,00000000,?,?,?,?,?), ref: 000C1120
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,000B3106,?,00000001,00000000,?,?,?,?,?,?,00000000,?), ref: 000C113D
_get_stream_buffer_pointers.API-MS-WIN-CRT-STDIO-L1-1-0(00000000,00000000,?,?), ref: 000C1165
?getloc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,?,?,?,?,?,?,000B3106,?,00000001,00000000,?,?), ref: 000C11AA

Part of subcall function 000A26E0: ??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,7096605D,00000000,0014F874,?,0013CDA6,000000FF,?,000C11BE), ref: 000A2715
Part of subcall function 000A26E0: ??Bid@locale@std@@QAEIXZ.MSVCP140(?,0013CDA6,000000FF), ref: 000A2730
Part of subcall function 000A26E0: ?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,0013CDA6,000000FF), ref: 000A275B
Part of subcall function 000A26E0: ?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,0013CDA6,000000FF), ref: 000A277E
Part of subcall function 000A26E0: std::_Facet_Register.LIBCPMT ref: 000A2797
Part of subcall function 000A26E0: ??1_Lockit@std@@QAE@XZ.MSVCP140(?,0013CDA6,000000FF), ref: 000A27B2

?always_noconv@codecvt_base@std@@QBE_NXZ.MSVCP140(?,?,?,?,?,?,?,?,000B3106,?,00000001), ref: 000C11C2
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140(?,?,?,?,?,?,?,?,000B3106,?,00000001), ref: 000C11DA

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$Init@?$basic_streambuf@Lockit@std@@$??0_??1_?always_noconv@codecvt_base@std@@?getloc@?$basic_streambuf@Bid@locale@std@@Facet_Fiopen@std@@Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterU_iobuf@@V42@@Vfacet@locale@2@Vlocale@2@_get_stream_buffer_pointersstd::_
String ID:
API String ID: 3911317180-0
Opcode ID: a90571101ef6e4985a7433883a22b34447692826e68588dda6bb93f90c2d3cbc
Instruction ID: 9aea329e643e9673a5ff31aa4fbe96769d70d42259c154b8282cd9c40b325ab1
Opcode Fuzzy Hash: a90571101ef6e4985a7433883a22b34447692826e68588dda6bb93f90c2d3cbc
Instruction Fuzzy Hash: F4412778A006059FCB60CF69C848BAEBBF4FB49710F14452EE916D7B91DB78A944CB90

Function 000A26E0 Relevance: 9.1, APIs: 6, Instructions: 88COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,7096605D,00000000,0014F874,?,0013CDA6,000000FF,?,000C11BE), ref: 000A2715
??Bid@locale@std@@QAEIXZ.MSVCP140(?,0013CDA6,000000FF), ref: 000A2730
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,0013CDA6,000000FF), ref: 000A275B
?_Getcat@?$codecvt@DDU_Mbstatet@@@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,0013CDA6,000000FF), ref: 000A277E
std::_Facet_Register.LIBCPMT ref: 000A2797
??1_Lockit@std@@QAE@XZ.MSVCP140(?,0013CDA6,000000FF), ref: 000A27B2

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@Facet_Getcat@?$codecvt@Getgloballocale@locale@std@@Locimp@12@Mbstatet@@@std@@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 3960873448-0
Opcode ID: 1140399e5cbd581ee74ac60e604181bb7b3b5e2450fc2eebb5a8fd11e6bb3020
Instruction ID: 4cc45cb1d0d1d7694d12f1f63a9e7f6eb1c71ecf6dcc9d0a25b9b811749af775
Opcode Fuzzy Hash: 1140399e5cbd581ee74ac60e604181bb7b3b5e2450fc2eebb5a8fd11e6bb3020
Instruction Fuzzy Hash: A331AF35D04215DFCB11CFA8D848AAEFBB4FB06720F14466AE815A7761D7346E80CBD1

Function 000C1390 Relevance: 9.1, APIs: 6, Instructions: 87COMMON

Download Yara Rule

APIs

??0_Lockit@std@@QAE@H@Z.MSVCP140(00000000,7096605D,000BAFF8,?,?,?,00000000,?,?,000BAFF8,?,?), ref: 000C13C6
??Bid@locale@std@@QAEIXZ.MSVCP140(?,?,00000000,?), ref: 000C13E1
?_Getgloballocale@locale@std@@CAPAV_Locimp@12@XZ.MSVCP140(?,?,00000000,?), ref: 000C140C
?_Getcat@?$ctype@D@std@@SAIPAPBVfacet@locale@2@PBV42@@Z.MSVCP140(?,?,?,?,00000000,?), ref: 000C142F
std::_Facet_Register.LIBCPMT ref: 000C1448
??1_Lockit@std@@QAE@XZ.MSVCP140(?,?,00000000,?), ref: 000C1463

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Lockit@std@@$??0_??1_Bid@locale@std@@D@std@@Facet_Getcat@?$ctype@Getgloballocale@locale@std@@Locimp@12@RegisterV42@@Vfacet@locale@2@std::_
String ID:
API String ID: 295490909-0
Opcode ID: 549777f8804a9c737215e78bd7ea56836164f5e4fce5c51d02b6ba5348355e38
Instruction ID: bf545923b51c644384cfd35c75f30c7824d99418478909e13f3da4e7a3e55474
Opcode Fuzzy Hash: 549777f8804a9c737215e78bd7ea56836164f5e4fce5c51d02b6ba5348355e38
Instruction Fuzzy Hash: 6131AA75E00219DFCB25CF94D848BAEBBB0FB06720F14465AE815A77A2D734AD80CBD0

Function 0010D240 Relevance: 8.9, APIs: 2, Strings: 3, Instructions: 197COMMON

Download Yara Rule

APIs

__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010D320
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 0010D40D

Strings

%2lld:%02lld:%02lld, xrefs: 0010D36B
%3lldd %02lldh, xrefs: 0010D419
%7lldd, xrefs: 0010D436

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Unothrow_t@std@@@__ehfuncinfo$??2@
String ID: %2lld:%02lld:%02lld$%3lldd %02lldh$%7lldd
API String ID: 885266447-1743532675
Opcode ID: 21c2091a8e206692d14f19993226ccae96bb7ee8036a69b9fa06bed787db7765
Instruction ID: 26a80c0e4b8e224261f5be1ac983572b2fb40cc9e032eb0fc88deea83691053a
Opcode Fuzzy Hash: 21c2091a8e206692d14f19993226ccae96bb7ee8036a69b9fa06bed787db7765
Instruction Fuzzy Hash: 71514576B043045BE3089E6C9C41B6AB6D5E7D8750F49463DF898E73E2E7F6DD044281

Function 000BB160 Relevance: 8.9, APIs: 4, Strings: 1, Instructions: 142COMMON

Download Yara Rule

APIs

getenv.API-MS-WIN-CRT-ENVIRONMENT-L1-1-0(ALLUSERSPROFILE,7096605D,00000000,?), ref: 000BB1AF
___std_fs_convert_wide_to_narrow@20.LIBCPMT ref: 000BB260
___std_fs_convert_wide_to_narrow@20.LIBCPMT ref: 000BB28B
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,00000000,?,?,?,00000000,?,00000000,00000000,?,00000000,00000000), ref: 000BB2C0

Strings

ALLUSERSPROFILE, xrefs: 000BB1A3

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ___std_fs_convert_wide_to_narrow@20$_invalid_parameter_noinfo_noreturngetenv
String ID: ALLUSERSPROFILE
API String ID: 2152966803-1909236125
Opcode ID: f75b772e5ac889782f5eb727f5d3d0c48f2cefe5c55f073049d8313710f49937
Instruction ID: 87f30a692978d349f703623976e908a8edf680d788bc7b2f8b03b56dbe4e51a0
Opcode Fuzzy Hash: f75b772e5ac889782f5eb727f5d3d0c48f2cefe5c55f073049d8313710f49937
Instruction Fuzzy Hash: DA411270A002459FDB24DF68C855BEFBBF5EF85300F14462DE851A7291DBB4AA448BA1

Function 000B18E0 Relevance: 7.7, APIs: 5, Instructions: 235COMMON

Download Yara Rule

APIs

__std_exception_destroy.VCRUNTIME140(?), ref: 000B19CE
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000B19EF
__std_exception_destroy.VCRUNTIME140(?), ref: 000B1AE7
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000B1AF2
__std_exception_copy.VCRUNTIME140(?,?,7096605D,?,?,?,00000000,0013D563,000000FF), ref: 000B1B42

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __std_exception_destroy_invalid_parameter_noinfo_noreturn$__std_exception_copy
String ID:
API String ID: 3884296093-0
Opcode ID: 508f2df314346355958d8ccc305139f9b2741ea1bd57562e79d0f2045f17baa3
Instruction ID: 15d5758534d03a2c3e4e1c67ae5f2df1e9e7f3d0df31b5e909d0a5ebdb61d76f
Opcode Fuzzy Hash: 508f2df314346355958d8ccc305139f9b2741ea1bd57562e79d0f2045f17baa3
Instruction Fuzzy Hash: BC81E1719006409FD328DF28D8A9BEAB7E9EF04310F544A1DE596C7E91E774FA84CB90

Function 000AD9C0 Relevance: 7.7, APIs: 6, Instructions: 166COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?), ref: 000ADA06
memmove.VCRUNTIME140(?,?,?), ref: 000ADA37
memmove.VCRUNTIME140(?,?,?,?,?,?), ref: 000ADA49
memmove.VCRUNTIME140(?,?,?), ref: 000ADAC9
memmove.VCRUNTIME140(0000000F,?,?,?,?,?), ref: 000ADAD5
memmove.VCRUNTIME140(0000000F,?,?,0000000F,?,?,?,?,?), ref: 000ADAEC

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 75b90f57de89330d196d8308c89122bae3420953883efa01a3897ddf521cd6b3
Instruction ID: 86c990b542866264c5404a609d5eca1e86d5f06db86a7ecb92a9c8b214a49935
Opcode Fuzzy Hash: 75b90f57de89330d196d8308c89122bae3420953883efa01a3897ddf521cd6b3
Instruction Fuzzy Hash: 5C415EB2F00219ABCB14DFECDC859AEBBB9EF55310B14456AE905E3701E3319E509BE1

Function 000C2430 Relevance: 7.7, APIs: 5, Instructions: 158COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000000,7096605D,00000000,?,?,000BB7F3,0013ED7D,000000FF,?,000BDD9A,7096605D,00000000,?,?,?,0013E890), ref: 000C248A
?getloc@ios_base@std@@QBE?AVlocale@2@XZ.MSVCP140(?,?,?,000BB7F3,0013ED7D,000000FF,?,000BDD9A,7096605D,00000000,?,?,?,0013E890,000000FF), ref: 000C24AD
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,000BB7F3,0013ED7D,000000FF,?,000BDD9A,7096605D,00000000,?,?,?,0013E890,000000FF), ref: 000C2520
?snextc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(00000000,00000000,?,?,000BB7F3,0013ED7D,000000FF), ref: 000C2594
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?,000BB7F3,0013ED7D,000000FF,?,000BDD9A,7096605D,00000000,?,?,?,0013E890,000000FF), ref: 000C25EF

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?getloc@ios_base@std@@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@?snextc@?$basic_streambuf@Ipfx@?$basic_istream@Vlocale@2@
String ID:
API String ID: 481934583-0
Opcode ID: 5400dd1a4bc57f0abd8d40bb1c47ae5cae63c8afc0d526721f17d58f7ce661e9
Instruction ID: ecdc625524be756168067afb6f21ce90ed247512b3ec77a22f18385eb6ebddbb
Opcode Fuzzy Hash: 5400dd1a4bc57f0abd8d40bb1c47ae5cae63c8afc0d526721f17d58f7ce661e9
Instruction Fuzzy Hash: 51616774A05645DFCB24CF98C494FAEBBF1BF09304F1441ACE8169BBA2CB71A944CB50

Function 000CA220 Relevance: 7.6, APIs: 5, Instructions: 138COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,?,00000030,?,000C452B,?,?,?,000C67E0), ref: 000CA2D7

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

memmove.VCRUNTIME140(00000000,?,000C452B,?,00000030,?,000C452B,?,?,?,000C67E0), ref: 000CA2E6
memmove.VCRUNTIME140(?,000C452B,?,00000000,?,000C452B,?,00000030,?,000C452B,?,?,?,000C67E0), ref: 000CA2FC
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000030,?,000C452B,?,?,?,000C67E0), ref: 000CA351
Concurrency::cancel_current_task.LIBCPMT ref: 000CA35C

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: d5b2d3a74ceb6a449b03d35860a3fa437908b1868ec7423dde27f019517c7a0c
Instruction ID: 1004a4f86ef6e2edf6748027628e53c24ffec6d0de269f3e9c46a33ec89fa0d5
Opcode Fuzzy Hash: d5b2d3a74ceb6a449b03d35860a3fa437908b1868ec7423dde27f019517c7a0c
Instruction Fuzzy Hash: D841C0B1B005159FD714DFBCC899EAEBBA8EB4A314724422DF829D7341EB30EE418791

Function 000CC050 Relevance: 7.6, APIs: 5, Instructions: 135COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 000CC11B
memmove.VCRUNTIME140(00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 000CC12A
memmove.VCRUNTIME140(?,?,?,00000000,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 000CC140
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,00000000,?,?,?,?,?,?,?,00000000), ref: 000CC197
Concurrency::cancel_current_task.LIBCPMT ref: 000CC19D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 2016347663-0
Opcode ID: 2ff82955058c28badd6c87332a7a497f04336d00e9116b964f6aaab5c45b3a57
Instruction ID: 8bb32800c2d74474c6fc93486d2f22228aae59b3be75a7383cb760ce3a01ed6d
Opcode Fuzzy Hash: 2ff82955058c28badd6c87332a7a497f04336d00e9116b964f6aaab5c45b3a57
Instruction Fuzzy Hash: B241C4B1A005019FE718DF69CC95DAEB7A5EB89310728862DEC1AD7781E730EE51C780

Function 000C64B0 Relevance: 7.6, APIs: 5, Instructions: 128COMMON

Download Yara Rule

APIs

?_Ipfx@?$basic_istream@DU?$char_traits@D@std@@@std@@QAE_N_N@Z.MSVCP140(00000001,7096605D,?,?), ref: 000C650E
?sgetc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?), ref: 000C654E
?sbumpc@?$basic_streambuf@DU?$char_traits@D@std@@@std@@QAEHXZ.MSVCP140(?,?), ref: 000C6576
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000000,00000000,?,?), ref: 000C6622

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: D@std@@@std@@U?$char_traits@$?sbumpc@?$basic_streambuf@?setstate@?$basic_ios@?sgetc@?$basic_streambuf@Ipfx@?$basic_istream@
String ID:
API String ID: 926534625-0
Opcode ID: 6b8fb17923c7ab3a7f89475977ca3a5ba34b59ad618a923c504f36389524bfbc
Instruction ID: 3b4d1072c354044d1749a1df848ebc07b80eaf17781499d815f31e5eed90ae1e
Opcode Fuzzy Hash: 6b8fb17923c7ab3a7f89475977ca3a5ba34b59ad618a923c504f36389524bfbc
Instruction Fuzzy Hash: A4517934A05244DFCB24CF68C584FADBBF1BF59304F24819DE4169BBA1C772A945CB90

Function 000BDC10 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

??0?$basic_ios@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140(7096605D,00000000,7FFFFFFF), ref: 000BDC5B
??0?$basic_ostream@DU?$char_traits@D@std@@@std@@QAE@PAV?$basic_streambuf@DU?$char_traits@D@std@@@1@_N@Z.MSVCP140(?,00000000,00000000), ref: 000BDC79
??0?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAE@XZ.MSVCP140 ref: 000BDCA3
?_Init@?$basic_streambuf@DU?$char_traits@D@std@@@std@@IAEXXZ.MSVCP140 ref: 000BDCB9
?setstate@?$basic_ios@DU?$char_traits@D@std@@@std@@QAEXH_N@Z.MSVCP140(00000002,00000000,000BC7AF,0000000A), ref: 000BDCFB

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: U?$char_traits@$D@std@@@std@@$??0?$basic_ios@??0?$basic_ostream@??0?$basic_streambuf@?setstate@?$basic_ios@D@std@@@1@_Init@?$basic_streambuf@V?$basic_streambuf@
String ID:
API String ID: 1830095303-0
Opcode ID: e9598777f17f1262cb654afcd51c104c9fb0d315c34ba366181b504c727919a9
Instruction ID: bb4a3ed1be68d6624402906b02c4399e27da0d0f5d174bb4f394ae42da775867
Opcode Fuzzy Hash: e9598777f17f1262cb654afcd51c104c9fb0d315c34ba366181b504c727919a9
Instruction Fuzzy Hash: 72314578A00206EFCB10CF58C984B9AFBF8FB4A314F10415EE5069B7A1D7B1A940CB90

Function 000E3F3B Relevance: 7.6, APIs: 5, Instructions: 63COMMONLIBRARYCODE

Download Yara Rule

APIs

_CxxThrowException.VCRUNTIME140(?,00155D48,?,?,?,75570E50), ref: 000A1607
__std_exception_copy.VCRUNTIME140(?,00000000,?,?,?,00155D48,?,?,?,75570E50), ref: 000A162E
_callnewh.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F43
malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50
_CxxThrowException.VCRUNTIME140(?,00155CAC,?), ref: 000E4ABF

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow$__std_exception_copy_callnewhmalloc
String ID:
API String ID: 3601187372-0
Opcode ID: 6352266fd76052352d33eef6e6d4ce3af7883e9a885f61d119fa01cb52df3af5
Instruction ID: d1187fb590a503a0ec387d56c1b40e0f461ba2e4633518fa0f3217f8fdce4491
Opcode Fuzzy Hash: 6352266fd76052352d33eef6e6d4ce3af7883e9a885f61d119fa01cb52df3af5
Instruction Fuzzy Hash: C611E175C0020DBBCB14ABA9EC0699A7BAC9F11360F104531FA24B6592EB70EA9583D5

Function 001129C0 Relevance: 7.6, APIs: 5, Instructions: 60COMMON

Download Yara Rule

APIs

realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000001,00000000,765C7170,?,00000088,000F5CD5,CURL_SSL_BACKEND,00000000,765C7170,000F4947,00000000,000F6F50), ref: 001129CB
GetEnvironmentVariableA.KERNEL32(?,00000000,00000001,00000000,000F6F50,?,?,?,?,?,?,?,?,00000000,00000000), ref: 001129EA
realloc.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00112A08
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,000F6F50,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00112A18
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,?,?,?,?,?,?,?,?,00000000,00000000), ref: 00112A30

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: freerealloc$EnvironmentVariable
String ID:
API String ID: 4071857516-0
Opcode ID: beabde1307960034b9f5af17d63af6c7f9f0808a46c78ffef46e395aafafd255
Instruction ID: b55e4c03ad17670e65880c6460245e2aca31574bebf4639f0e035a5352e6e38d
Opcode Fuzzy Hash: beabde1307960034b9f5af17d63af6c7f9f0808a46c78ffef46e395aafafd255
Instruction Fuzzy Hash: E8017537A411249F463127997C485EBBB9CDFC66737090136FE09D3600DB765C9591E2

Function 000EF7B0 Relevance: 7.5, APIs: 5, Instructions: 31COMMON

Download Yara Rule

APIs

DeleteCriticalSection.KERNEL32(?,?,000EF764,?,?,00000000,00000088,000F6784,00000000), ref: 000EF7BD
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00000088,000F6784,00000000), ref: 000EF7C6
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000EF764,?,?,00000000,00000088,000F6784,00000000), ref: 000EF7D2
closesocket.WS2_32(?), ref: 000EF7F4
memset.VCRUNTIME140(?,00000000,00000090), ref: 000EF802

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$CriticalDeleteSectionclosesocketmemset
String ID:
API String ID: 1764800466-0
Opcode ID: 047b3160e797cd4c34dd5f23cdf1b50fd4a7b1a60321bee1425dcd99821ec7f7
Instruction ID: 3db9b15bf01deeee95f14191bc3e2d524ba748dbaa18164a0c318322bbc36f48
Opcode Fuzzy Hash: 047b3160e797cd4c34dd5f23cdf1b50fd4a7b1a60321bee1425dcd99821ec7f7
Instruction Fuzzy Hash: 35F05EB1900701EFDA205B79AC49A5777A86F04725F080D24F987E26B1D775E894C692

Function 000EDD40 Relevance: 7.5, APIs: 6, Instructions: 26COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(0000000F,?,00000000,000EE6B8,?,00000088,00000088), ref: 000EDD55
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EDD5E
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000), ref: 000EDD67
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EDD70
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EDD79
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000EDD80

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: ed999e5615c00dbda7bd096734b8f67127aea03cc05d8968ddab9bf377848784
Instruction ID: 7efe7cb3b13cc4b3835c58d4e4aa9ee4899445c5392adc84cc44e196761eee07
Opcode Fuzzy Hash: ed999e5615c00dbda7bd096734b8f67127aea03cc05d8968ddab9bf377848784
Instruction Fuzzy Hash: 60F01C32400710EFCB211F54EC0889A7BB9FF847123054A58F95E6A970C77AA8D9DBD2

Function 000AF850 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 244COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000002,00000000,0014F9E8,00000002,?,?,?,00000001,00000000,0014F9EC,00000001,?,?,[json.exception.,00000010,?), ref: 000AFAB9
__std_exception_destroy.VCRUNTIME140(0000000F,?,?,7096605D,?,?), ref: 000AFB01
__std_exception_destroy.VCRUNTIME140(?,?,7096605D,?,?), ref: 000AFB11

Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 000AE08E
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 000AE09C

Part of subcall function 000ADFC0: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,?), ref: 000AE0DF
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,?,00000000,?,?), ref: 000AE0E7
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(7FFFFFFF,?,?,00000000,?,00000000,?,?), ref: 000AE0F3

Strings

[json.exception., xrefs: 000AF8C9

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$__std_exception_destroy_invalid_parameter_noinfo_noreturn
String ID: [json.exception.
API String ID: 1357646913-791563284
Opcode ID: 482daff1b47b07b16de1fbafc06b11ab2cfaa9f29ab7942986331ebc5df75a41
Instruction ID: 31c6e62363b115506603799bc43f7773d348a6d6242ee9143eedb34ff7c63a2b
Opcode Fuzzy Hash: 482daff1b47b07b16de1fbafc06b11ab2cfaa9f29ab7942986331ebc5df75a41
Instruction Fuzzy Hash: 52910871D002499FDB04DFE8C945BEEBBB5EF46300F24822DE414AB692D774AE85CB91

Function 000AFF90 Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 234COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,, column ,00000009,?, at line ,00000009,?,?,?,?,?,?,7096605D,?,?), ref: 000B00E4

Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,7FFFFFFF,00000000,?,?), ref: 000AE08E
Part of subcall function 000ADFC0: memmove.VCRUNTIME140(00000000,?,?,00000000,7FFFFFFF,00000000,?,?), ref: 000AE09C

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,?,?,00000009,00000000,, column ,00000009,?, at line ,00000009,?,?,?,?,?,?), ref: 000B0229

Strings

at line , xrefs: 000B006E
, column , xrefs: 000B00C7

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn
String ID: at line $, column
API String ID: 2580228974-191570568
Opcode ID: 35e3ee40b1d01d19dd751e00b471183089ea0e80d8e9e69ca48c89040031ee80
Instruction ID: ea38e2d5ca39dd9db8f004562d4bdaeb3807d01a7a3dc6e463f5c1d442c5b3a0
Opcode Fuzzy Hash: 35e3ee40b1d01d19dd751e00b471183089ea0e80d8e9e69ca48c89040031ee80
Instruction Fuzzy Hash: CC91D571D002488FDB18CFA8DC89BEEBBB5EF45300F14825DE415AB792DB749A85CB51

Function 000B5440 Relevance: 7.2, APIs: 3, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,00000001,00000001), ref: 000B5576
memmove.VCRUNTIME140(000000FF,?,00000000), ref: 000B5679
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,?,00000000), ref: 000B56BE

Strings

signature, xrefs: 000B5508

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$_invalid_parameter_noinfo_noreturn
String ID: signature
API String ID: 2580228974-2928148801
Opcode ID: 58c0cdc8f90c164adef92b0daa73743f59f59d468f54bd3ff4ad8e367818c19f
Instruction ID: b9d6b7b14573ec6865eb6ffa3c0a9e3c3bac8ec8f7e35f935c2c63f2a27d93c9
Opcode Fuzzy Hash: 58c0cdc8f90c164adef92b0daa73743f59f59d468f54bd3ff4ad8e367818c19f
Instruction Fuzzy Hash: A681E771D006489FCF08DFA8DC95BEEB7B5EF49301F148259E8157B282E730AA85CB91

Function 000B02E0 Relevance: 7.1, APIs: 3, Strings: 1, Instructions: 148COMMON

Download Yara Rule

APIs

Part of subcall function 000AE120: memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152

Part of subcall function 000BF790: memmove.VCRUNTIME140(00000000,00000000,?,?,00000000,?,?,000B24D2,?,?,00000000,00000000,?,?,0000000F,00000000), ref: 000BF7CF

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000B0412
__std_exception_copy.VCRUNTIME140(?,?), ref: 000B045C
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?), ref: 000B0498

Strings

out_of_range, xrefs: 000B0331

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _invalid_parameter_noinfo_noreturnmemmove$__std_exception_copy
String ID: out_of_range
API String ID: 2013804569-3053435996
Opcode ID: 88555b56cfa9f685408a7db61e5d1364b4d8f37202e560d9400204584fde3dd2
Instruction ID: cea2a04766f6acf82b068439e7cbd9b8c5d83729618d80efa2800644a7694a65
Opcode Fuzzy Hash: 88555b56cfa9f685408a7db61e5d1364b4d8f37202e560d9400204584fde3dd2
Instruction Fuzzy Hash: 8651D471D002499FDB04CFA8DD857EEBBB4FF45310F108329E525AB691E7B4A984CB91

Function 000E4C3D Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 31COMMON

Download Yara Rule

APIs

__current_exception.VCRUNTIME140 ref: 000E4C7C
__current_exception_context.VCRUNTIME140 ref: 000E4C86
terminate.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000E4C8D

Strings

csm, xrefs: 000E4C47

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: __current_exception__current_exception_contextterminate
String ID: csm
API String ID: 2542180945-1018135373
Opcode ID: 6e0cd085d4f968ffdaaa73632ad8b8aa1ce9f75291e59383da7947cc97b2dcb0
Instruction ID: 440226c7bdaae404ce52663747232a0a436d5962843463c777e839895a39029e
Opcode Fuzzy Hash: 6e0cd085d4f968ffdaaa73632ad8b8aa1ce9f75291e59383da7947cc97b2dcb0
Instruction Fuzzy Hash: CAF0A7750012418FCBB06E7F9409019B7EDAF25721B740617D448EB621C770ED51CBD2

Function 000B0900 Relevance: 6.4, APIs: 5, Instructions: 172COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000030,?), ref: 000B0924
memmove.VCRUNTIME140(?), ref: 000B0954
memmove.VCRUNTIME140 ref: 000B097B
memset.VCRUNTIME140(?,00000030), ref: 000B0990

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmovememset
String ID:
API String ID: 1288253900-0
Opcode ID: 3b26b7cd52328fb2d4af8e63db6303faed9bafb032100bbec1e8b9a1c558cbb0
Instruction ID: 6d44197764a432fb71bce2652aae5ecc051094c3962470bb97a218a1ededa1bf
Opcode Fuzzy Hash: 3b26b7cd52328fb2d4af8e63db6303faed9bafb032100bbec1e8b9a1c558cbb0
Instruction Fuzzy Hash: A651F577A052069FD710CE6DD882AD6F799EB95210F4842BBE859C7342E362EA19C3D0

Function 000BF280 Relevance: 6.3, APIs: 4, Instructions: 292COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,00000000,?,?,?,?,?,?,?,?,?,?,0013EA7D,000000FF), ref: 000BF5CE
Concurrency::cancel_current_task.LIBCPMT ref: 000BF61B
Concurrency::cancel_current_task.LIBCPMT ref: 000BF625

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task$memmove
String ID:
API String ID: 3458649463-0
Opcode ID: 6d8a5f2c5999ee421e80c9f7828a9d42d5bfef1b2a30b28ca37c7b0d16fafdc1
Instruction ID: 59d03027a94ba00a511ab8a78daa374ab3312f13e180e9cdf21c66b3158ffdea
Opcode Fuzzy Hash: 6d8a5f2c5999ee421e80c9f7828a9d42d5bfef1b2a30b28ca37c7b0d16fafdc1
Instruction Fuzzy Hash: 29C13BB1D00659DFCB10CF68C8946ADFBF0BF49314F28816AE819AB352D775A946CF90

Function 00131E50 Relevance: 6.3, APIs: 5, Instructions: 40COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 00131E6A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 00131E8F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00128421,000002E0,000F2EB8,000F6AAE,000F2EB8,00000000,?,00000000,000F2EB8,00000000,00000000,00000000,?), ref: 00131EB1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 00131EC1
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 00131ED8

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 795fc1b5689de81508ff3f68f83c941000a4196b52ad907fb7724882542adaea
Instruction ID: a1159d49a1098a13533981accc8e173517996013344396e72ef603bce8ac787e
Opcode Fuzzy Hash: 795fc1b5689de81508ff3f68f83c941000a4196b52ad907fb7724882542adaea
Instruction Fuzzy Hash: 4711C5B0100700EFD7619F55DD48B46BBF4BF08305F044918F89A86AA0C7BAF894CF51

Function 000FF850 Relevance: 6.3, APIs: 5, Instructions: 33COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(000006E0,000006E0,00000000,?,00000088,000F6711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 000FF86D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,000F6711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 000FF876
free.API-MS-WIN-CRT-HEAP-L1-1-0(000006E0,?,00000088,000F6711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 000FF87D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000088,00000000,?,00000088,000F6711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 000FF88D
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000088,?,00000088,000F6711,000006E0,00000000,000006E0,?,00000000,00000001,000008A0,00000000,00000088), ref: 000FF894

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 68ab09d90aa853655fee7b9356e98f2b6b4fcad6f051055bd2f27b55cbb81db3
Instruction ID: 43427dd563ba694e14f2af05a950c241fc4238472702c6f7be2bae8d46b65ed1
Opcode Fuzzy Hash: 68ab09d90aa853655fee7b9356e98f2b6b4fcad6f051055bd2f27b55cbb81db3
Instruction Fuzzy Hash: 06F0B432100204FFCB104F04EC486A6BBBCFF84352B144535FE0D5B620CB7AA994CB91

Function 000B15B0 Relevance: 6.3, APIs: 4, Instructions: 279COMMON

Download Yara Rule

APIs

Part of subcall function 000E39EA: ___lc_codepage_func.API-MS-WIN-CRT-LOCALE-L1-1-0(000C1BB3,7096605D,?,000B4792), ref: 000E39EA

memmove.VCRUNTIME140(?,?,00000001), ref: 000B16DA
memmove.VCRUNTIME140(?,?,00000002), ref: 000B1746
memmove.VCRUNTIME140(?,?,00000000,0014FAF4,?,?,00000002,00000000,?,00000002), ref: 000B17EB
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(00000000,00000000,00000022,?,?,00000002,00000000,?,00000002), ref: 000B18AC

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$___lc_codepage_func_invalid_parameter_noinfo_noreturn
String ID:
API String ID: 4026628035-0
Opcode ID: 59f556e68053efc119089f4837fb9d59359a4838a03c4de19eef8b356cdc773b
Instruction ID: 7cc38af1e5dd819cc5b4a1b6f4b3ee7d914e83f7cccd9330fbabd87d8826e9e5
Opcode Fuzzy Hash: 59f556e68053efc119089f4837fb9d59359a4838a03c4de19eef8b356cdc773b
Instruction Fuzzy Hash: 15B18C70E002049FCB28DF68C895BEEBBF5FF89700F14462DE456AB742DB70A9458B91

Function 00112EE0 Relevance: 6.2, APIs: 2, Strings: 2, Instructions: 166stringCOMMON

Download Yara Rule

APIs

strchr.VCRUNTIME140(?,?,0123456789abcdef,?,?), ref: 00112F50
strchr.VCRUNTIME140 ref: 00112F6A

Part of subcall function 00112E30: strchr.VCRUNTIME140(0123456789,0014F8DC,?,000006E0,0014F8DC,?,?,00112E2C,00000017,00000017), ref: 00112E5C

Strings

0123456789ABCDEF, xrefs: 00112F5D, 00112F62
0123456789abcdef, xrefs: 00112F42, 00112F48

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: strchr
String ID: 0123456789ABCDEF$0123456789abcdef
API String ID: 2830005266-885041942
Opcode ID: b6f2b29de0332793d9632c0f0dad44c6e0520094edf82b45c332c223f457bd9e
Instruction ID: a43ca4b054b6dbb79bd339b84828d99f5e8746b2929741a6dc52e98981e121e8
Opcode Fuzzy Hash: b6f2b29de0332793d9632c0f0dad44c6e0520094edf82b45c332c223f457bd9e
Instruction Fuzzy Hash: 8751E375A083418BC718DF28C4805AFFBE1AF99344F844A2DF4D997205E731EA89C793

Function 000C26A0 Relevance: 6.1, APIs: 4, Instructions: 145COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000000,000B4792,?,00000000), ref: 000C276D
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,00000000), ref: 000C27D5
memmove.VCRUNTIME140(00000000,?,000B4792,?,00000000), ref: 000C27DD

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000C2815

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 09942f73f6456ae87dca0d42159f6f51be9a69bb796748c259961a53f3585b82
Instruction ID: 4a1a7748da8c51e49cc0f24c4636680f1a7f891cfa79f8a42bcf1e7a3ca2ad46
Opcode Fuzzy Hash: 09942f73f6456ae87dca0d42159f6f51be9a69bb796748c259961a53f3585b82
Instruction Fuzzy Hash: 8341E575A002199BCB14DFA8C8C5AAEB3F5FF58310B24463DE812D7795E730AD618B90

Function 000CA370 Relevance: 6.1, APIs: 4, Instructions: 139COMMON

Download Yara Rule

APIs

memset.VCRUNTIME140(?,00000000,?,00000030), ref: 000CA448
memmove.VCRUNTIME140(00000000,?,?,00000030), ref: 000CA47A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,00000030), ref: 000CA4D8

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000CA4DE

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmallocmemmovememset
String ID:
API String ID: 2090792099-0
Opcode ID: 497858ad375708b42ddd15cf5f1263299ff9dee893c82a89e05c0eea129eb01a
Instruction ID: 4b873ffea4bd658c86cfa5488d265f805423a10b3a958f2ce3da9c6de9ce5e88
Opcode Fuzzy Hash: 497858ad375708b42ddd15cf5f1263299ff9dee893c82a89e05c0eea129eb01a
Instruction Fuzzy Hash: B241D971A001099FC718DF68C889EAEB7B5FF85314F24862DE81597345E770EE50CB91

Function 000A28E0 Relevance: 6.1, APIs: 4, Instructions: 135COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,00000001,00000002), ref: 000A2993
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000A29DE
memmove.VCRUNTIME140(00000000,?,00000002), ref: 000A29E6

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000A2A0E

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 0b8cc072c7fe61c50a0cb4ed1128523fd84a442b213142f024c2c7026277e81f
Instruction ID: 933635f8a57793230c9786591623e7f32ee29e033d86dbcf23008517a4cd63e1
Opcode Fuzzy Hash: 0b8cc072c7fe61c50a0cb4ed1128523fd84a442b213142f024c2c7026277e81f
Instruction Fuzzy Hash: 82412672A002408FCB25DFACD8846AFBBE6AFD6700F2442B9E859DB346D630DD55C791

Function 000C1A30 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(000B4792,000B4792,?,?,00000000,?,000B4792,?), ref: 000C1A91

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 1d5f59226f2c4cc7d7492d036a49f01d3f91b450fb424d6640fa282d65abf50d
Instruction ID: 0dc62fa307bfb6709d504f41e11096e665e7d850c4b3d8c8814eb69acc66da22
Opcode Fuzzy Hash: 1d5f59226f2c4cc7d7492d036a49f01d3f91b450fb424d6640fa282d65abf50d
Instruction Fuzzy Hash: 0C31E872A013048BC7309F68D844BAEF7E8DF96321F24067EE855C7293E7719E5487A2

Function 000C1260 Relevance: 6.1, APIs: 4, Instructions: 114COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,000BAFF8,00000000,?,?,000BAFF8,?,?), ref: 000C128D
memmove.VCRUNTIME140(00000023,?,000BAFF8,?,000BAFF8,?,?), ref: 000C1332
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,000BAFF8,?,?), ref: 000C137F
Concurrency::cancel_current_task.LIBCPMT ref: 000C138A

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: e5262ec7698aed2a3a461194b97ce6a7a3e7b67a90493df1d1b52331ad26238e
Instruction ID: e1986bba02f773d68ad56f2d76bced8a795717e000ddeb10eec19f87cb459335
Opcode Fuzzy Hash: e5262ec7698aed2a3a461194b97ce6a7a3e7b67a90493df1d1b52331ad26238e
Instruction Fuzzy Hash: 3A3106B1A002849BC7249F68D884EEDB7E9EF56314F24027EF815CB793D7709E508791

Function 000C21C0 Relevance: 6.1, APIs: 4, Instructions: 113COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000000,?,000B16C1,?,000B16C0,?), ref: 000C227A
_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,000B16C0,?), ref: 000C22B7
memmove.VCRUNTIME140(00000000,?,000B16C1,?,000B16C0,?), ref: 000C22BF

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Concurrency::cancel_current_task.LIBCPMT ref: 000C22D9

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: adc1b2f0a205ae6ab92aabb39457ab3a4702cb43cd2c926c53ce74320b10e1b2
Instruction ID: e04d39005a561a862ca7ebe663d3f4970555f01bd753c75a39f336b7bd218b8c
Opcode Fuzzy Hash: adc1b2f0a205ae6ab92aabb39457ab3a4702cb43cd2c926c53ce74320b10e1b2
Instruction Fuzzy Hash: 2C310B73E00114ABCB18EFACD885AAEB7E9EB94310B14437DE815EB745D630DE5187D1

Function 000A27E0 Relevance: 6.1, APIs: 4, Instructions: 102COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,?,?,?,?,?,?,?,?,000000FF), ref: 000A2815
memmove.VCRUNTIME140(00000000,?,?,?,?,?,?,?,?,000000FF), ref: 000A28AF

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove
String ID:
API String ID: 2162964266-0
Opcode ID: 5bcd0956511ab75d232d6523115ac4d6b47ff44465e488a5bdfbda3c20f9d834
Instruction ID: a8efc5cbaa17dc40b2a736f5fbabec05cfaab8ee6299d2633dbef55f69a57062
Opcode Fuzzy Hash: 5bcd0956511ab75d232d6523115ac4d6b47ff44465e488a5bdfbda3c20f9d834
Instruction Fuzzy Hash: 782101B1D013109FC724AFAC984559E77E8EF56360F210279F82997391EB74DD4087E1

Function 000B1BB0 Relevance: 6.1, APIs: 2, Strings: 2, Instructions: 101COMMON

Download Yara Rule

APIs

Part of subcall function 000B1460: _invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0 ref: 000B156E

_CxxThrowException.VCRUNTIME140(?,00155DCC,?,?,00000000,?,create_directory,7096605D,00000000), ref: 000B1C2F
_CxxThrowException.VCRUNTIME140(?,00155DCC,?,?,?,current_path(),7096605D,?,?), ref: 000B1CB1

Strings

create_directory, xrefs: 000B1BF6
current_path(), xrefs: 000B1C83

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ExceptionThrow$_invalid_parameter_noinfo_noreturn
String ID: create_directory$current_path()
API String ID: 2822070131-686078018
Opcode ID: 37758f63734f1b32d7e1b417d1b3dca81d77557f0890c8f759d7e8b6358565c0
Instruction ID: 0d07e2b92512415ebb9606691080d5fd172319112645248835e66c45dfd10c95
Opcode Fuzzy Hash: 37758f63734f1b32d7e1b417d1b3dca81d77557f0890c8f759d7e8b6358565c0
Instruction Fuzzy Hash: 772151B1900208EBCB10DF55DD46FCABBBCFB15720F544265F925A7691EB70AA08CAA1

Function 000C3770 Relevance: 6.1, APIs: 4, Instructions: 94COMMON

Download Yara Rule

APIs

_invalid_parameter_noinfo_noreturn.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F,00000000,00000000), ref: 000C380B
memmove.VCRUNTIME140(?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D,?,00000001,0000000F), ref: 000C382F
memmove.VCRUNTIME140(?,?,DCC8DA8D,?,?,?,DCC8DA8D,?,?,?,?,?,?,?,?,DCC8DA8D), ref: 000C3840
Concurrency::cancel_current_task.LIBCPMT ref: 000C385A

Part of subcall function 000E3F3B: malloc.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,000AE1C8,?,?,?,?,75570E50), ref: 000E3F50

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task_invalid_parameter_noinfo_noreturnmalloc
String ID:
API String ID: 2075926362-0
Opcode ID: 47875d6f55c2538ffe6c75afd939861db930982d26216014e1fe3e047bd9004d
Instruction ID: 0d8972d6c190070219fd3fbf4d2915e04c86752ef63a0d26d223614a18ff48dc
Opcode Fuzzy Hash: 47875d6f55c2538ffe6c75afd939861db930982d26216014e1fe3e047bd9004d
Instruction Fuzzy Hash: 4A31C4B1D102049FDB24DF68C851BAEB7F5AF84300F14826DF815A7342DB31DE548B91

Function 000AE120 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE152
memmove.VCRUNTIME140(?,75570E50,?,?,?,?,75570E50), ref: 000AE1DB
Concurrency::cancel_current_task.LIBCPMT ref: 000AE1F8

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: memmove$Concurrency::cancel_current_task
String ID:
API String ID: 1247048853-0
Opcode ID: 1580abca7e0d1f3b4ad750c3f9631695ef85f2851e38152a732f1531c8fb323f
Instruction ID: 4fe8617f1e3e7f30ac2b8c7c565e496bd9f3fbec1ab42a9bb8877c7d7dda5cc7
Opcode Fuzzy Hash: 1580abca7e0d1f3b4ad750c3f9631695ef85f2851e38152a732f1531c8fb323f
Instruction Fuzzy Hash: D6212C72D012549BC7249FE8D8816AEBBD9EF46360F14026AFC29DB292D7308D5187E2

Function 000CE690 Relevance: 6.1, APIs: 4, Instructions: 83COMMON

Download Yara Rule

APIs

memmove.VCRUNTIME140(00000010,?,00000000,?,?,?,80070057,?), ref: 000CE6EC
memset.VCRUNTIME140(00000010,00000000,00000000,?,?,?,80070057,?), ref: 000CE6F9
_errno.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,80070057,?), ref: 000CE701
_invalid_parameter_noinfo.API-MS-WIN-CRT-RUNTIME-L1-1-0(?,?,?,80070057,?), ref: 000CE70D

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _errno_invalid_parameter_noinfomemmovememset
String ID:
API String ID: 524079128-0
Opcode ID: 13110c67cbdc5abb53cd30d883fce5df5035da6ce34067fb5ae0db58398787e7
Instruction ID: 1efbef1e79274cb19ae46d10878c07ec5b895490ad03ae6f92a971f81d901b94
Opcode Fuzzy Hash: 13110c67cbdc5abb53cd30d883fce5df5035da6ce34067fb5ae0db58398787e7
Instruction Fuzzy Hash: 2921F875A01605AFC714DFA8D889E9DB7F8EF49350B1081A9E915DB261EB30ED01CBA1

Function 000EED50 Relevance: 6.1, APIs: 4, Instructions: 53COMMON

Download Yara Rule

APIs

QueryPerformanceCounter.KERNEL32(765C6BF0,765C6BF0,?,?,765C6BF0), ref: 000EED63
__alldvrm.LIBCMT ref: 000EED7D
__ehfuncinfo$??2@YAPAXIABUnothrow_t@std@@@Z.LIBCMT ref: 000EEDA4
GetTickCount.KERNEL32 ref: 000EEDC1

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: CountCounterPerformanceQueryTickUnothrow_t@std@@@__alldvrm__ehfuncinfo$??2@
String ID:
API String ID: 1296068966-0
Opcode ID: c4ef8691c53afa30ea53af8da94deda6b34b36f68a7794c75d72c68337a32777
Instruction ID: 208c0f6d1c684b95f28e817845eb62b74948d0e7eb96da8de3762549d10cec6e
Opcode Fuzzy Hash: c4ef8691c53afa30ea53af8da94deda6b34b36f68a7794c75d72c68337a32777
Instruction Fuzzy Hash: C61125B1208305AFC705EF78FC45A2ABFE8EB89300F50482DF508D62A0E7329A48CB55

Function 000E3AEF Relevance: 6.0, APIs: 4, Instructions: 44COMMON

Download Yara Rule

APIs

WideCharToMultiByte.KERNEL32(?,00000400,7096605D,00000000,00000000,00000000,00000000,00000000,?,?,?,000C195C,00000000,?,00000000,00000000), ref: 000E3B0C
GetLastError.KERNEL32(?,000C195C,00000000,?,00000000,00000000,00000000,7096605D,?,?), ref: 000E3B18
WideCharToMultiByte.KERNEL32(?,00000000,7096605D,00000000,00000000,00000000,00000000,00000000,?,000C195C,00000000,?,00000000,00000000,00000000,7096605D), ref: 000E3B3E
GetLastError.KERNEL32(?,000C195C,00000000,?,00000000,00000000,00000000,7096605D,?,?), ref: 000E3B4A

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: ByteCharErrorLastMultiWide
String ID:
API String ID: 203985260-0
Opcode ID: b21e08d0973b34dc0d26ee730282a734bfc85ecb41afb44a8c5e8507f22fac5d
Instruction ID: 11fae9accab780bcd1927db53ed1cb8833c1e243e02599c113f26edfb121ce87
Opcode Fuzzy Hash: b21e08d0973b34dc0d26ee730282a734bfc85ecb41afb44a8c5e8507f22fac5d
Instruction Fuzzy Hash: 3A01C236600196BF8F225F56DC08D9F7E6AEBD9BA1B114114FF0596530C731C9A2E7A0

Function 000C03E1 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 163COMMON

Download Yara Rule

APIs

_dclass.API-MS-WIN-CRT-MATH-L1-1-0 ref: 000C03F1
_dsign.API-MS-WIN-CRT-MATH-L1-1-0 ref: 000C0415

Part of subcall function 000B0900: memset.VCRUNTIME140(?,00000030,?), ref: 000B0924

Strings

null, xrefs: 000C05D3

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: _dclass_dsignmemset
String ID: null
API String ID: 2282577375-634125391
Opcode ID: ec8678a1f260830deccde6630314cf0c85033e01f4483b7d2443e606ef669fa3
Instruction ID: f303a701a640590300b7941a189b6b1059c1ffef106416a5f72405a8f17b152b
Opcode Fuzzy Hash: ec8678a1f260830deccde6630314cf0c85033e01f4483b7d2443e606ef669fa3
Instruction Fuzzy Hash: 99619E71C0061D8BDB01DFA8C9416EDFBB0FF19314F148369E955BB252EB31AA98CB90

Function 0013C592 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 22COMMON

Download Yara Rule

APIs

Part of subcall function 0013C5E5: memset.VCRUNTIME140(?,00000000,00000018,?,?,0013C59A,?,000A151A), ref: 0013C5F2

Part of subcall function 000B0F40: InitializeCriticalSectionEx.KERNEL32(?,00000000,00000000,?,00155E4C), ref: 000B0F45
Part of subcall function 000B0F40: GetLastError.KERNEL32(?,00000000,00000000,?,00155E4C), ref: 000B0F4F

IsDebuggerPresent.KERNEL32(?,?,?,000A151A), ref: 0013C5C5
OutputDebugStringW.KERNEL32(ERROR : Unable to initialize critical section in CAtlBaseModule,?,?,?,000A151A), ref: 0013C5D4

Strings

ERROR : Unable to initialize critical section in CAtlBaseModule, xrefs: 0013C5CF

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: CriticalDebugDebuggerErrorInitializeLastOutputPresentSectionStringmemset
String ID: ERROR : Unable to initialize critical section in CAtlBaseModule
API String ID: 4206453544-631824599
Opcode ID: fa0fe7a30e7432358c228d3a6370b8a91c07175a911020be0bbc82a9e0b169f1
Instruction ID: 20a8570482b822cd2c3af8bfc8daffd10b3ef84abc8273f40f4680a2b6059672
Opcode Fuzzy Hash: fa0fe7a30e7432358c228d3a6370b8a91c07175a911020be0bbc82a9e0b169f1
Instruction Fuzzy Hash: 59E092703003018FC3209F74D508787BBE4AF15741F00886DE886E3B51EBB4E484CB91

Function 000F6B30 Relevance: 5.0, APIs: 4, Instructions: 49COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00000088,000F692E,00000000,00000D30), ref: 000F6B44
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F6B68
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F6B8D
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 000F6BBB

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: c226549dd3b49408c3cd49824dfc8017aab92ecd631ec08b87d1a2d1d8c7dda1
Instruction ID: 759237e06048db40a7f4c448d7d749e6d8ddbedb7bce8f36173712e2e2a024b5
Opcode Fuzzy Hash: c226549dd3b49408c3cd49824dfc8017aab92ecd631ec08b87d1a2d1d8c7dda1
Instruction Fuzzy Hash: CC118EB1500742EFEB288F34D9487D1FBA4BF00305F040725DA5956251CB3B34A8DBD6

Function 00132300 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 0013231A
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 0013233F
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000000,00127805,00000368,000F2EB8,000F6AB4,000F2EB8,000F2EB8,00000000,?,00000000,000F2EB8,00000000,00000000,00000000), ref: 00132361
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,00000088,?,?,?,?,000EA1C4,?,?,000F0088,?), ref: 00132371

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: f160403c260e79880a93a79a1472fcbf2d7297b5e06961b36b2270adedf57644
Instruction ID: 7388e4f0c5527ed04147824f19c54e4bbe7f0b068ce048f2635f9a774e31068a
Opcode Fuzzy Hash: f160403c260e79880a93a79a1472fcbf2d7297b5e06961b36b2270adedf57644
Instruction Fuzzy Hash: 1A0192B0100B00DFD7609F25E948B46BBF4BF08315F148918E89A86AA0C7BAF898CF55

Function 000F12B0 Relevance: 5.0, APIs: 4, Instructions: 33COMMON

Download Yara Rule

APIs

Part of subcall function 000FF170: free.API-MS-WIN-CRT-HEAP-L1-1-0(000008A0,00000000,000008A0,000F4F3E,?,00000000,000008A0,000FACB9,000008A0), ref: 000FF185
Part of subcall function 000FF170: free.API-MS-WIN-CRT-HEAP-L1-1-0(000008A0), ref: 000FF192

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 000F12DE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 000F12EE
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,?,?,?,?,?,?,?,?), ref: 000F12FE
memset.VCRUNTIME140(?,00000000,00000170,?,?,?,?,?,?,?,?), ref: 000F130C

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free$memset
String ID:
API String ID: 2717317152-0
Opcode ID: 682841baa7eb1d33689200f903bc597454ffdd531d67ad44b0b63fb30c9b8c10
Instruction ID: 217441c76d9524ee847dbaee90d3201019ae2d525d2bb0d83706dfba2c075482
Opcode Fuzzy Hash: 682841baa7eb1d33689200f903bc597454ffdd531d67ad44b0b63fb30c9b8c10
Instruction Fuzzy Hash: 45011D71401B10EBD7626F20ED097D6BBE0BF05719F44091CF98A15EA1C7BAB498DB81

Function 00100860 Relevance: 5.0, APIs: 4, Instructions: 31COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(?,000006DC,00000000,?,00000088,000F673E,000006DC), ref: 0010087D
free.API-MS-WIN-CRT-HEAP-L1-1-0(000006DC,?,00000088,000F673E,000006DC), ref: 00100884
free.API-MS-WIN-CRT-HEAP-L1-1-0(?,00000000,?,00000088,000F673E,000006DC), ref: 00100895
free.API-MS-WIN-CRT-HEAP-L1-1-0(00000088,?,00000088,000F673E,000006DC), ref: 0010089C

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8628e5b3fbc3b4b200d82a48893470f28e5afd200f9c3b2d8f7e0f0987cc4c15
Instruction ID: 043a4b84290dcec4945a6ce9c3686db22b8dcca989a020779655ee5de24cf3e7
Opcode Fuzzy Hash: 8628e5b3fbc3b4b200d82a48893470f28e5afd200f9c3b2d8f7e0f0987cc4c15
Instruction Fuzzy Hash: 69F05E36000300FFCB015F04EC44A86B768FF85322F148525FD595B651C7BAA9A4CBD1

Function 001306B0 Relevance: 5.0, APIs: 4, Instructions: 27COMMON

Download Yara Rule

APIs

free.API-MS-WIN-CRT-HEAP-L1-1-0(00000000,00000000,000FF211,000008EC,000006DC,000F6752,00000000,?), ref: 001306B7
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 001306E2
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 001306F5
free.API-MS-WIN-CRT-HEAP-L1-1-0(?), ref: 00130705

Memory Dump Source

Source File: 00000000.00000002.1866237559.00000000000A1000.00000020.00000001.01000000.00000007.sdmp, Offset: 000A0000, based on PE: true

Associated: 00000000.00000002.1866219436.00000000000A0000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866286817.0000000000141000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866305445.0000000000159000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866318725.000000000015A000.00000008.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866434485.00000000001A6000.00000004.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001A8000.00000002.00000001.01000000.00000007.sdmpDownload File
Associated: 00000000.00000002.1866462794.00000000001C2000.00000002.00000001.01000000.00000007.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_0_2_a0000_SecuriteInfo.jbxd

Similarity

API ID: free
String ID:
API String ID: 1294909896-0
Opcode ID: 8eec4f2160b20222e8e88c2ce08874fcb7978041548e35b74e86168f55c516bc
Instruction ID: 4d2731a187b1a5cea258179965ffa80ffcdbc3abf269ae2dff7fa09677883e2a
Opcode Fuzzy Hash: 8eec4f2160b20222e8e88c2ce08874fcb7978041548e35b74e86168f55c516bc
Instruction Fuzzy Hash: AFF0B7B0000701DFE7209F14EC08B46BBF4BF04305F148918F99A86A60D7BAE8A8CF96

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to identify the primary user, currently logged in user, set of users that commonly uses a system, or whether a user is actively using the system. They may do this, for example, by retrieving account usernames or by using OS Credential Dumping . The information may be collected in a number of different ways using other Discovery techniques, because user and username details are prevalent throughout a system and include running process ownership, file/directory ownership, session information, and system logs. Adversaries may use the information from [System Owner/User Discovery](https://attack.mitre.org/techniques/T1033) during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_SecuriteInfo.com_9ffa6a94f5231de6490ea3ae72ad68e315c65_678091f3_076ba889-fe90-4a2b-a0ee-af4f1e04b704\Report.wer

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA447.tmp.dmp

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA503.tmp.WERInternalMetadata.xml

C:\ProgramData\Microsoft\Windows\WER\Temp\WERA572.tmp.xml

C:\Windows\appcompat\Programs\Amcache.hve

\Device\ConDrv

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Rich Headers

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Network Port Distribution

TCP Packets

Windows Analysis Report
SecuriteInfo.com.Trojan.GenericKD.74444428.17336.1019.exe

Function 000CEDB0 Relevance: 62.1, APIs: 27, Strings: 8, Instructions: 881
memorylibrarythreadCOMMON

Function 000D1670 Relevance: 21.3, APIs: 11, Strings: 1, Instructions: 264
libraryloaderinjectionCOMMON

Function 000EC150 Relevance: 18.5, APIs: 12, Instructions: 493
COMMON

Function 0010D550 Relevance: 12.3, APIs: 8, Instructions: 265
networksleepCOMMON

Function 000D0910 Relevance: 9.0, APIs: 4, Strings: 1, Instructions: 271
librarymemoryloaderCOMMON

Function 000FF5C0 Relevance: 49.2, APIs: 19, Strings: 9, Instructions: 188
libraryloadernetworkCOMMON

Function 000D1000 Relevance: 33.6, APIs: 12, Strings: 7, Instructions: 304
registryCOMMON

Function 000FF410 Relevance: 28.1, APIs: 12, Strings: 4, Instructions: 148
librarystringloaderCOMMON